ansible-role-linux-firewall/tasks/plain-iptables.yml

108 lines
4.2 KiB
YAML

---
- block:
- name: Install the needed iptables packages
apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
- name: Create the /etc/iptables directory when needed
file: dest=/etc/iptables state=directory owner=root group=root mode=0755
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
with_items:
- rules.v4
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
notify: Start the iptables service on Ubuntu < 12.04
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_trusty
register: install_iptables_rules_trusty
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_debian7
register: install_iptables_rules_deb7
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_debian8
register: install_netfilter_rules
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when:
- ansible_distribution == 'Ubuntu'
- ansible_distribution_major_version >= '16'
register: install_netfilter_rules
- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes
register: restart_related_t
notify: Restart fail2ban after an iptables restart
when: install_iptables_rules_trusty is changed
- name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes
register: restart_related_d7
notify: Restart fail2ban after an iptables restart
when: install_iptables_rules_deb7 is changed
- name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
service: name=netfilter-persistent state=restarted enabled=yes
register: restart_related_x
notify: Restart fail2ban after an iptables restart
when: install_netfilter_rules is changed
- name: Check if the fail2ban service is present
stat: path=/usr/bin/fail2ban-server
register: fail2ban_installed
- name: Restart fail2ban after an iptables restart on Ubunt Trusty
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_t is changed
- name: Restart fail2ban after an iptables restart on debian 7
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_d7 is changed
- name: Restart fail2ban after an iptables restart on Ubuntu Xenial
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_x is changed
- name: Check if the docker service is present
stat: path=/usr/bin/dockerd
register: dockerd_installed
- name: Restart docker after an iptables restart on Ubuntu Trusty
service: name=docker state=restarted enabled=yes
when:
- dockerd_installed.stat.exists
- restart_related_t is changed
- name: Restart docker after an iptables restart on Ubuntu Xenial
service: name=docker state=restarted enabled=yes
when:
- dockerd_installed.stat.exists
- restart_related_x is changed
tags: [ 'iptables', 'iptables_rules' ]