ansible-role-linux-firewall/tasks/plain-iptables.yml

---
- block:
  - name: Install the needed iptables packages
    apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800

  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
    with_items:
      - rules.v4
      - rules.v6
    when:
      - ansible_distribution == 'Ubuntu'
      - ansible_distribution_version is version_compare('14.04', '==')
    register: install_iptables_rules_trusty

  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
    with_items:
      - rules.v4
      - rules.v6
    when: ansible_distribution_release == "wheezy"
    register: install_iptables_rules_deb7

  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
    with_items:
      - rules.v4
      - rules.v6
    when: ansible_distribution_release == "jessie"
    register: install_netfilter_rules

  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04
    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
    with_items:
      - rules.v4
      - rules.v6
    when:
      - ansible_distribution == 'Ubuntu'
      - ansible_distribution_major_version >= '16'
    register: install_netfilter_rules

  - name: Load the nf_conntrack_ftp module when FTP is enabled
    ansible.builtin.modprobe:
      name: nf_conntrack_ftp
      state: present
    when: vsftpd_iptables_rules is defined and vsftpd_iptables_rules

  - name: Load the nf_conntrack_tftp module when TFTP is enabled
    ansible.builtin.modprobe:
      name: nf_conntrack_tftp
      state: present
    when: tftp_server_iptables_rules is defined and tftp_server_iptables_rules

  - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
    service: name=iptables-persistent state=restarted enabled=yes
    register: restart_related_t
    notify: Restart fail2ban after an iptables restart
    when: install_iptables_rules_trusty is changed
    ignore_errors: true

  - name: Start the iptables service on Trusty explicitly running the sysv script
    shell: /etc/init.d/iptables-persistent restart
    register: restart_related_t
    notify: Restart fail2ban after an iptables restart
    when: install_iptables_rules_trusty is changed
    ignore_errors: true

  - name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks
    service: name=iptables-persistent state=restarted enabled=yes
    register: restart_related_d7
    notify: Restart fail2ban after an iptables restart
    when: install_iptables_rules_deb7 is changed

  - name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
    service: name=netfilter-persistent state=restarted enabled=yes
    register: restart_related_x
    notify: Restart fail2ban after an iptables restart
    when: install_netfilter_rules is changed

  - name: Check if the fail2ban service is present
    stat: path=/usr/bin/fail2ban-server
    register: fail2ban_installed

  - name: Restart fail2ban after an iptables restart on Ubunt Trusty
    service: name=fail2ban state=restarted enabled=yes
    when:
      - fail2ban_installed.stat.exists
      - restart_related_t is changed 

  - name: Restart fail2ban after an iptables restart on debian 7
    service: name=fail2ban state=restarted enabled=yes
    when:
      - fail2ban_installed.stat.exists
      - restart_related_d7 is changed 

  - name: Restart fail2ban after an iptables restart on Ubuntu Xenial
    service: name=fail2ban state=restarted enabled=yes
    when:
      - fail2ban_installed.stat.exists
      - restart_related_x is changed 

  - name: Check if the docker service is present
    stat: path=/usr/bin/dockerd
    register: dockerd_installed

  - name: Restart docker after an iptables restart on Ubuntu Trusty
    service: name=docker state=restarted enabled=yes
    when:
      - dockerd_installed.stat.exists
      - restart_related_t is changed 

  - name: Restart docker after an iptables restart on Ubuntu Xenial
    service: name=docker state=restarted enabled=yes
    when:
      - dockerd_installed.stat.exists
      - restart_related_x is changed 

  tags: [ 'iptables', 'iptables_rules' ]