- hosts: localhost
  ignore_errors: yes
  vars:
  - target: "127.0.0.1"
  - tcp_notlistening: "60001"
  - tcp_reject: "60000"
  - tcp_drop: "60020"
  - tcp_listening: "60040"
  - udp_notlistening: "60011"
  - udp_reject: "60010"
  - udp_drop: "60030"
  - udp_listening: "60050"
  - tcp_commands:
    - "telnet <TARGET> <PORT>"
    - "nc -t -v <TARGET> <PORT>"
    - "bash -c 'exec 3<>/dev/tcp/<TARGET>/<PORT>'"
    - "zsh -c 'autoload -U tcp_open;tcp_open <TARGET> <PORT>'"
    - "nmap -v -sT -p <PORT> <TARGET>"
    - "sudo traceroute -T -N 1 -m 1 -q 1 -p <PORT> <TARGET> -O info"
    - "openssl s_client -connect <TARGET>:<PORT>"
    - "ssh -p <PORT> <TARGET>"
    - "perl -e 'use IO::Socket::INET;new IO::Socket::INET ( PeerHost => \"<TARGET>\", PeerPort => \"<PORT>\", Proto => \"tcp\",) or die \"ERROR in Socket Creation : $!\\n\";'"
    - "python3 -c 'import socket;socket.socket().connect((\"<TARGET>\",<PORT>))'"
    - "ruby -e 'require \"socket\";s = TCPSocket.open(\"<TARGET>\", <PORT>)'"
    - "curl -v -s --max-time 60 'http://<TARGET>:<PORT>'"
    - "wget --timeout=60 --tries=1 'http://<TARGET>:<PORT>'"
    - "links -dump http://<TARGET>:<PORT>"
  - udp_commands:
    - "sh -c 'echo coin|nc -u -v -w10 <TARGET> <PORT>'"
    - "bash -c 'exec 3<>/dev/udp/<TARGET>/<PORT>; echo coin >&3; sleep 10'"
    - "traceroute -U -N 1 -m 1 -q 1 -p <PORT> <TARGET>"
    - "sudo nmap -v -sU -p <PORT> <TARGET>"
  - ip_filtering:
    - { protocol: "tcp", method: "REJECT", dport: "{{ tcp_reject }}" }
    - { protocol: "tcp", method: "DROP", dport: "{{ tcp_drop }}" }
    - { protocol: "udp", method: "REJECT", dport: "{{ udp_reject }}" }
    - { protocol: "udp", method: "DROP", dport: "{{ udp_drop }}" }
  tasks:
  - name: "Paquets pour la démo (en tout cas sur une Debian Sid)"
    package:
      name="{{ item }}"
      state=present
    become: yes
    with_items:
    - zsh
    - netcat-openbsd
    - telnet
    - bash
    - openssl
    - openssh-client
    - perl-base
    - python3-minimal
    - ruby
    - curl
    - wget
    - links
    - traceroute
    tags: [ 'always' ]
  - name: "Mise en place du filtrage IP"
    iptables:
      chain: "INPUT"
      destination: "{{ target }}"
      state: present
      jump: "{{ item.method }}"
      protocol: "{{ item.protocol }}"
      destination_port: "{{ item.dport }}"
    become: yes
    with_items: "{{ ip_filtering }}"
    tags: [ 'always' ]
  - name: "Serveur TCP en écoute"
    shell: "setsid nc -t -p {{ tcp_listening }} -l -w0 -k &"
    changed_when: false
    tags: [ 'tcp' ]
  - name: "Serveur UDP en écoute"
    shell: "setsid nc -u -p {{ udp_listening }} -l -w0 -k &"
    changed_when: false
    tags: [ 'udp' ]

  - name: "Tests TCP rien en écoute"
    command: "{{ item }} "
    changed_when: false
    register: cmd_tcp_notlistening
    with_items: "{{ tcp_commands | replace('<TARGET>', target) | replace('<PORT>', tcp_notlistening) }}"
    tags: [ 'tcp', 'notlistening', 'tcp_notlistening' ]

  - name: "Tests TCP avec rejet"
    command: "{{ item }} "
    changed_when: false
    register: cmd_tcp_reject
    with_items: "{{ tcp_commands | replace('<TARGET>', target) | replace('<PORT>', tcp_reject) }}"
    tags: [ 'tcp', 'reject', 'tcp_reject' ]

  - name: "Tests TCP avec drop"
    command: "{{ item }} "
    changed_when: false
    register: cmd_tcp_drop
    with_items: "{{ tcp_commands | replace('<TARGET>', target) | replace('<PORT>', tcp_drop) }}"
    tags: [ 'tcp', 'drop', 'tcp_drop' ]

  - name: "Tests TCP en écoute"
    command: "{{ item }} "
    changed_when: false
    register: cmd_tcp_listening
    with_items: "{{ tcp_commands | replace('<TARGET>', target) | replace('<PORT>', tcp_listening) }}"
    tags: [ 'tcp', 'listening', 'tcp_listening' ]

  - name: "Tests UDP rien en écoute"
    command: "{{ item }} "
    changed_when: false
    register: cmd_udp_notlistening
    with_items: "{{ udp_commands | replace('<TARGET>', target) | replace('<PORT>', udp_notlistening) }}"
    tags: [ 'udp', 'notlistening', 'udp_notlistening' ]

  - name: "Tests UDP avec rejet"
    command: "{{ item }} "
    changed_when: false
    register: cmd_udp_reject
    with_items: "{{ udp_commands | replace('<TARGET>', target) | replace('<PORT>', udp_reject) }}"
    tags: [ 'udp', 'reject', 'udp_reject' ]

  - name: "Tests UDP avec drop"
    command: "{{ item }} "
    changed_when: false
    register: cmd_udp_drop
    with_items: "{{ udp_commands | replace('<TARGET>', target) | replace('<PORT>', udp_drop) }}"
    tags: [ 'udp', 'drop', 'udp_drop' ]

  - name: "Tests UDP en écoute"
    command: "{{ item }} "
    changed_when: false
    register: cmd_udp_listening
    with_items: "{{ udp_commands | replace('<TARGET>', target) | replace('<PORT>', udp_listening) }}"
    tags: [ 'udp', 'listening', 'udp_listening' ]

  - name: "Rapport"
    template:
      src: "InternetEstCassé.md.j2"
      dest: "./InternetEstCassé.md"
      mode: 0644
    tags: [ 'always' ]

  - name: "Nettoyage d'éventuel précédent serveur TCP en écoute"
    command: "pkill -f 'nc -t -p {{ tcp_listening }}'"
    changed_when: false
    tags: [ 'tcp' ]
  - name: "Nettoyage d'éventuel précédent serveur UDP en écoute"
    command: "pkill -f 'nc -u -p {{ udp_listening }}'"
    changed_when: false
    tags: [ 'udp' ]
  - name: "Nettoyage du filtrage IP"
    iptables:
      chain="INPUT"
      destination="{{ target }}"
      state=absent
      jump="{{ item.method }}"
      protocol="{{ item.protocol }}"
      destination_port="{{ item.dport }}"
    become: yes
    with_items: "{{ ip_filtering }}"
    tags: [ 'always' ]