From 9521affbdb4993b22c09457de0adacd9fa87c827 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 2 Oct 2023 19:49:40 +0200 Subject: [PATCH] Stop the iptables service when disabled. --- handlers/main.yml | 3 +-- meta/main.yml | 20 +++++++++----------- tasks/disable-plain-iptables.yml | 14 ++++++++++++++ tasks/iptables-packages.yml | 8 ++++++++ tasks/main.yml | 19 ++++++++++++++++--- tasks/plain-iptables.yml | 3 --- 6 files changed, 48 insertions(+), 19 deletions(-) create mode 100644 tasks/disable-plain-iptables.yml create mode 100644 tasks/iptables-packages.yml diff --git a/handlers/main.yml b/handlers/main.yml index c7525d7..07eecbe 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Start the iptables service service: name=iptables-persistent state=restarted enabled=yes - notify: Restart fail2ban + notify: Restart fail2ban after an iptables restart - name: Start the netfilter service service: name=netfilter-persistent state=restarted enabled=yes @@ -30,4 +30,3 @@ when: - fail2ban_enabled is defined and fail2ban_enabled - centos_install_epel - diff --git a/meta/main.yml b/meta/main.yml index 215569d..095018b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,25 +1,23 @@ galaxy_info: author: Andrea Dell'Amico - description: Systems Architect + description: Linux firewall rules (netfilter-persistent or firewalld) company: ISTI-CNR - - issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - + namespace: adellam + role_name: linux_firewall license: EUPL 1.2+ - - min_ansible_version: 2.8 - - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # + min_ansible_version: "2.9" platforms: - name: Ubuntu versions: - trusty - bionic + - focal + - jammy - name: EL versions: - - 7 + - "7" + - "8" + - "9" galaxy_tags: - firewall diff --git a/tasks/disable-plain-iptables.yml b/tasks/disable-plain-iptables.yml new file mode 100644 index 0000000..848984e --- /dev/null +++ b/tasks/disable-plain-iptables.yml @@ -0,0 +1,14 @@ +--- +- name: disable-plain-iptables | Stop the iptables firewall + tags: ['iptables', 'iptables_rules'] + block: + - name: disable-plain-iptables | Flush the iptables rules + ansible.builtin.command: /usr/sbin/netfilter-persistent flush + ignore_errors: true + + - name: disable-plain-iptables | Stop and disable the netfilter service + ansible.builtin.service: + name: netfilter-persistent + state: stopped + enabled: false + notify: Restart fail2ban diff --git a/tasks/iptables-packages.yml b/tasks/iptables-packages.yml new file mode 100644 index 0000000..ab0840a --- /dev/null +++ b/tasks/iptables-packages.yml @@ -0,0 +1,8 @@ +--- +- name: iptables-packages | Manage the iptables packages + block: + - name: iptables-packages | Install the needed iptables packages + ansible.builtin.apt: + pkg: "{{ iptables_deb_pkgs }}" + state: present + cache_valid_time: 1800 diff --git a/tasks/main.yml b/tasks/main.yml index 1dc306e..b7ad18c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,9 +1,22 @@ --- -- import_tasks: plain-iptables.yml +- name: Iptables packages + ansible.builtin.import_tasks: iptables-packages.yml + when: + - ansible_distribution_file_variety == "Debian" +- name: Plain iptables + ansible.builtin.import_tasks: plain-iptables.yml when: - iptables_persistent_enabled - ansible_distribution_file_variety == "Debian" -- import_tasks: firewalld_rules.yml +- name: Disable iptables + ansible.builtin.import_tasks: disable-plain-iptables.yml + when: + - not iptables_persistent_enabled + - ansible_distribution_file_variety == "Debian" + - ansible_distribution_version is version_compare('16.04', '>=') +- name: Firewalld rules + ansible.builtin.import_tasks: firewalld_rules.yml when: ansible_distribution_file_variety == "RedHat" -- import_tasks: firewalld_disable.yml +- name: Disable firewalld + ansible.builtin.import_tasks: firewalld_disable.yml when: ansible_distribution_file_variety == "RedHat" diff --git a/tasks/plain-iptables.yml b/tasks/plain-iptables.yml index 9eca6b5..94f8a8d 100644 --- a/tasks/plain-iptables.yml +++ b/tasks/plain-iptables.yml @@ -1,8 +1,5 @@ --- - block: - - name: Install the needed iptables packages - apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800 - - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 with_items: