Merge pull request 'the iptables and firewalld roles have been merged into 'linux-firewall'.' (#224) from adellam/ansible-roles:master into master

2020-07-10 19:09:31 +02:00 · 2020-07-10 19:09:31 +02:00 · 4c31b4ec53
parent b380800b64 139b3068dc
commit 4c31b4ec53
16 changed files with 30 additions and 800 deletions
--- a/library/bootstrap-roles/centos-common/meta/main.yml
+++ b/library/bootstrap-roles/centos-common/meta/main.yml
@ -6,9 +6,19 @@ dependencies:
  - role: '../../library/roles/sshd_config'
  - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
  - { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client }
-  - role: '../../library/centos/roles/firewalld'
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git
+    version: master
+    name: linux-firewall
+    state: latest
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
+    version: master
+    name: letsencrypt-acme-sh-client
+    state: latest
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
+    version: master
+    name: zabbix-agent
+    state: latest
+    when: zabbix_agent_install is defined and zabbix_agent_install
  - role: '../../library/centos/roles/fail2ban'
  - { role: '../../library/roles/cloud-init', when:  ansible_product_name == "oVirt Node" }
-  - { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
-  - { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install }
  - { role: '../../library/centos/roles/prometheus-node-exporter', when: prometheus_enabled }
--- a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
+++ b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml
@ -4,9 +4,19 @@ dependencies:
  - role: '../../library/roles/rsyslog'
  - { role: '../../library/roles/cloud-init', when:  ansible_product_name == "oVirt Node" }
  - role: '../../library/roles/tmpreaper'
-  - role: '../../library/roles/iptables'
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git
+    version: master
+    name: linux-firewall
+    state: latest
  - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
  - role: '../../library/roles/sshd_config'
-  - { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
-  - { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install }
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
+    version: master
+    name: letsencrypt-acme-sh-client
+    state: latest
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
+    version: master
+    name: zabbix-agent
+    state: latest
+    when: zabbix_agent_install is defined and zabbix_agent_install
  - { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled is defined and prometheus_enabled }
--- a/library/centos/roles/firewalld/defaults/main.yml
+++ b/library/centos/roles/firewalld/defaults/main.yml
@ -1,19 +0,0 @@
---
-firewalld_enabled: True
-firewalld_default_zone: public
-firewalld_ssh_enabled_on_default_zone: True
-
-firewalld_rules:
-#  - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
-#  - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
-#  - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
-
-#firewalld_new_services:
-#  - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
-
-# We execute direct rules as they are written
-# firewalld_direct_rules:
-#   - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
-
-# firewalld_zones_interfaces:
-#  - { interface: 'eth1', zone: 'internal' }
--- a/library/centos/roles/firewalld/files/mosh.xml
+++ b/library/centos/roles/firewalld/files/mosh.xml
@ -1,16 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<service>
-  <short>Mosh SSH service</short>
-  <description>This allows mosh to send and receive datagram connections.</description>
-  <port protocol="udp" port="60000"/>
-  <port protocol="udp" port="60001"/>
-  <port protocol="udp" port="60002"/>
-  <port protocol="udp" port="60003"/>
-  <port protocol="udp" port="60004"/>
-  <port protocol="udp" port="60005"/>
-  <port protocol="udp" port="60006"/>
-  <port protocol="udp" port="60007"/>
-  <port protocol="udp" port="60008"/>
-  <port protocol="udp" port="60009"/>
-  <port protocol="udp" port="60010"/>
-</service>
--- a/library/centos/roles/firewalld/files/traceroute.xml
+++ b/library/centos/roles/firewalld/files/traceroute.xml
@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<service>
-  <short>ports needed by traceroute</short>
-  <description>This allows the host to be reached by traceroute.</description>
-  <port protocol="udp" port="33434"/>
-  <port protocol="udp" port="33523"/>
-</service>
--- a/library/centos/roles/firewalld/handlers/main.yml
+++ b/library/centos/roles/firewalld/handlers/main.yml
@ -1,16 +0,0 @@
---
- name: Enable and start firewalld
-  service: name=firewalld state=started enabled=yes
-  when: firewalld_enabled
-
- name: Reload firewall config
-  command: firewall-cmd --reload
-  notify: Restart fail2ban
-  when: firewalld_enabled
-
- name: Restart fail2ban
-  service: name=fail2ban state=restarted
-  when:
-    - fail2ban_enabled is defined and fail2ban_enabled
-    - centos_install_epel
-
--- a/library/centos/roles/firewalld/tasks/disable_firewalld.yml
+++ b/library/centos/roles/firewalld/tasks/disable_firewalld.yml
@ -1,5 +0,0 @@
---
- name: Ensure that the firewalld service is stopped and disabled if we do not want it
-  service: name=firewalld state=stopped enabled=no
-  when: not firewalld_enabled | bool
-  tags: [ 'iptables', 'firewall', 'firewalld' ] 
--- a/library/centos/roles/firewalld/tasks/firewalld_rules.yml
+++ b/library/centos/roles/firewalld/tasks/firewalld_rules.yml
@ -1,91 +0,0 @@
---
- block:
-  - name: Ensure that the service is enabled and started
-    service: name=firewalld state=started enabled=yes
-    notify: Restart fail2ban
-
-  - name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses
-    firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
-    when: firewalld_ssh_enabled_on_default_zone | bool
-
-  - name: Set the firewalld default zone.
-    command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
-
-  - name: Add sources to the availability zones, if any
-    firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
-    with_items: '{{ firewalld_src_rules | default([]) }}'
-
-  - name: Assign interfaces to firewalld zones if needed
-    firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True
-    with_items: '{{ firewalld_zones_interfaces | default([]) }}'
-    when:
-      - firewalld_zones_interfaces is defined
-      - item.interface is defined
-      - item.zone is defined
-    
-  - name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent
-    firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
-    with_items: '{{ firewalld_rules }}'
-    when:
-      - firewalld_rules is defined
-      - item.service is defined
-
-  - name: Save the ports firewalld rules that need to be permanent
-    firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
-    with_items: '{{ firewalld_rules }}'
-    when:
-      - firewalld_rules is defined
-      - item.port is defined
-      - item.protocol is defined
-
-  - name: Save the rich_rules firewalld rules that need to be permanent
-    firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
-    with_items: '{{ firewalld_rules }}'
-    when:
-      - firewalld_rules is defined
-      - item.rich_rule is defined
-    notify: Reload firewall config
-
-  - name: Enable the firewall-cmd direct passthrough rules
-    shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd  --direct --passthrough {{ item.action }}
-    with_items: '{{ firewalld_direct_rules }}'
-    args:
-      creates: /etc/firewalld/.{{ item.label }}
-    when:
-      - firewalld_direct_rules is defined
-      - item.action is defined
-
-  - name: Set the firewall-cmd direct passthrough rules as permanent ones
-    command: firewall-cmd --direct --permanent --passthrough {{ item.action }}
-    with_items: '{{ firewalld_direct_rules }}'
-    when:
-      - firewalld_direct_rules is defined
-      - item.action is defined
-
-  - name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file
-    command: firewall-cmd --new-service={{ item.name }} --permanent
-    args:
-      creates: '/etc/firewalld/services/{{ item.name }}.xml'
-    with_items: '{{ firewalld_new_services }}'
-    when: firewalld_new_services is defined
-    notify: Reload firewall config
-
-  - name: Install the custom firewall services
-    copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml
-    with_items: '{{ firewalld_new_services }}'
-    when: firewalld_new_services is defined
-    notify: Reload firewall config
-
-  - name: Manage the custom services firewalld rules.
-    firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
-    with_items: '{{ firewalld_new_services }}'
-    when:
-      - firewalld_new_services is defined
-      - item.name is defined
-    notify: Reload firewall config
-
-  # Last one to not take ourselves out
-  - name: Set the firewalld default zone.
-    command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
-
-  tags: [ 'iptables', 'firewall', 'firewalld' ]
--- a/library/centos/roles/firewalld/tasks/main.yml
+++ b/library/centos/roles/firewalld/tasks/main.yml
@ -1,7 +0,0 @@
---
- import_tasks: firewalld_rules.yml
-  when: firewalld_enabled | bool
-
- import_tasks: disable_firewalld.yml
-  when: not firewalld_enabled | bool
-  
--- a/library/roles/iptables/defaults/main.yml
+++ b/library/roles/iptables/defaults/main.yml
@ -1,63 +0,0 @@
---
-iptables_deb_pkgs:
-  - iptables
-  - iptables-persistent
-
-#
-# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables
-#
-#pg_allowed_hosts:
-#  - 146.48.123.17/32
-#  - 146.48.122.110/32
-#
-#munin_server:
-#  - 146.48.122.15
-#  - 146.48.87.88
-#http_port: 80
-#http_allowed_hosts:
-#  - 1.2.3.4/24
-#https_port: 443
-#https_allowed_hosts:
-#  - 0.0.0.0/0
-#
-# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT'
-# iptables:
-#   tcp_rules: True
-#   tcp:
-#     - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
-#     - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] }
-#     - { port: '80' }
-#   udp_rules: True
-#   udp:
-#     - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
-
-# munin_server:
-# - 146.48.122.15
-# - 146.48.87.88
-
-#nagios_monitoring_server_ip: 146.48.123.23
-#mongodb:
-#  start_server: 'yes'
-#  tcp_port: 27017
-#  allowed_hosts:
-#    - 146.48.123.100/32
-
-#iptables_default_policy: REJECT
-iptables_default_policy: ACCEPT
-iptables_nat_enabled: False
-iptables_nat_specify_interfaces: True
-iptables_post_nat_enabled: False
-iptables_nat_interfaces:
-  - '{{ ansible_default_ipv4.interface }}'
-iptables_input_default_policy: '{{ iptables_default_policy }}'
-iptables_forward_default_policy: '{{ iptables_default_policy }}'
-iptables_banned_default_policy: DROP
-iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
-iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
-ganglia_enabled: False
-nagios_enabled: False
-iptables_open_all_to_isti_nets: False
-tomcat_cluster_enabled: False
-# Another variable needs to be defined before the db rules are set
-psql_firewall_enabled: True
-mysql_firewall_enabled: True
--- a/library/roles/iptables/handlers/main.yml
+++ b/library/roles/iptables/handlers/main.yml
@ -1,25 +0,0 @@
---
- name: Start the iptables service
-  service: name=iptables-persistent state=restarted enabled=yes
-  notify: Restart fail2ban
-
- name: Start the netfilter service
-  service: name=netfilter-persistent state=restarted enabled=yes
-  when: is_debian8
-  notify: Restart fail2ban
-
- name: Flush the iptables rules
-  command: /etc/init.d/iptables-persistent flush
-  ignore_errors: true
-
- name: Start the iptables service on Ubuntu < 12.04
-  command: /etc/init.d/iptables-persistent start
-  ignore_errors: true
-
- name: Stop the iptables service on Ubuntu < 12.04
-  command: /etc/init.d/iptables-persistent stop
-  ignore_errors: true
-
- name: Restart fail2ban after an iptables restart
-  service: name=fail2ban state=restarted enabled=yes
-  when: has_fail2ban
--- a/library/roles/iptables/meta/main.yml
+++ b/library/roles/iptables/meta/main.yml
@ -1,4 +0,0 @@
---
-dependencies:
-  - { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client }
-  - { role: '../../library/roles/postfix-relay', when: postfix_relay_server is defined and postfix_relay_server }
--- a/library/roles/iptables/tasks/main.yml
+++ b/library/roles/iptables/tasks/main.yml
@ -1,127 +0,0 @@
---
- block:
-  - name: Install the needed iptables packages
-    apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
-
-  - name: Create the /etc/iptables directory when needed
-    file: dest=/etc/iptables state=directory owner=root group=root mode=0755
-    when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
-    
-  - name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
-    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
-    with_items:
-      - rules.v4
-    when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
-    notify: Start the iptables service on Ubuntu < 12.04
-
-  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise
-    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
-    with_items:
-      - rules.v4
-      - rules.v6
-    when: is_precise
-    register: install_iptables_rules_precise
-
-  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
-    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
-    with_items:
-      - rules.v4
-      - rules.v6
-    when: is_trusty
-    register: install_iptables_rules_trusty
-
-  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
-    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
-    with_items:
-      - rules.v4
-      - rules.v6
-    when: is_debian7
-    register: install_iptables_rules_deb7
-
-  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
-    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
-    with_items:
-      - rules.v4
-      - rules.v6
-    when: is_debian8
-    register: install_netfilter_rules
-
-  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04
-    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
-    with_items:
-      - rules.v4
-      - rules.v6
-    when:
-      - ansible_distribution == 'Ubuntu'
-      - ansible_distribution_major_version >= '16'
-    register: install_netfilter_rules
-
-  - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks
-    service: name=iptables-persistent state=restarted enabled=yes
-    register: restart_related_p
-    notify: Restart fail2ban after an iptables restart
-    when: install_iptables_rules_precise is changed
-
-  - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
-    service: name=iptables-persistent state=restarted enabled=yes
-    register: restart_related_t
-    notify: Restart fail2ban after an iptables restart
-    when: install_iptables_rules_trusty is changed
-
-  - name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks
-    service: name=iptables-persistent state=restarted enabled=yes
-    register: restart_related_d7
-    notify: Restart fail2ban after an iptables restart
-    when: install_iptables_rules_deb7 is changed
-
-  - name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
-    service: name=netfilter-persistent state=restarted enabled=yes
-    register: restart_related_x
-    notify: Restart fail2ban after an iptables restart
-    when: install_netfilter_rules is changed
-
-  - name: Check if the fail2ban service is present
-    stat: path=/usr/bin/fail2ban-server
-    register: fail2ban_installed
-
-  - name: Restart fail2ban after an iptables restart on Ubuntu Precise
-    service: name=fail2ban state=restarted enabled=yes
-    when:
-      - fail2ban_installed.stat.exists
-      - restart_related_p is changed 
-
-  - name: Restart fail2ban after an iptables restart on Ubunt Trusty
-    service: name=fail2ban state=restarted enabled=yes
-    when:
-      - fail2ban_installed.stat.exists
-      - restart_related_t is changed 
-
-  - name: Restart fail2ban after an iptables restart on debian 7
-    service: name=fail2ban state=restarted enabled=yes
-    when:
-      - fail2ban_installed.stat.exists
-      - restart_related_d7 is changed 
-
-  - name: Restart fail2ban after an iptables restart on Ubuntu Xenial
-    service: name=fail2ban state=restarted enabled=yes
-    when:
-      - fail2ban_installed.stat.exists
-      - restart_related_x is changed 
-
-  - name: Check if the docker service is present
-    stat: path=/usr/bin/dockerd
-    register: dockerd_installed
-
-  - name: Restart docker after an iptables restart on Ubuntu Trusty
-    service: name=docker state=restarted enabled=yes
-    when:
-      - dockerd_installed.stat.exists
-      - restart_related_t is changed 
-
-  - name: Restart docker after an iptables restart on Ubuntu Xenial
-    service: name=docker state=restarted enabled=yes
-    when:
-      - dockerd_installed.stat.exists
-      - restart_related_x is changed 
-
-  tags: [ 'iptables', 'iptables_rules' ]
--- a/library/roles/iptables/templates/iptables-rules.v4.j2
+++ b/library/roles/iptables/templates/iptables-rules.v4.j2
@ -1,398 +0,0 @@
-#
-# {{ ansible_managed }} don't manually modify this file
-#
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-{% if iptables_banlist is defined %}
-# We manage the banned IP/networks list before anything else
-{% for obj in iptables_banlist %}
-{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
-{% elif obj.proto is defined and obj.destport is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
-{% elif obj.proto is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
-{% else %}
-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
-{% endif %}
-{% endfor %}
-{% endif %}
-# Return traffic and localhost
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-#
-{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
-{% if iptables_ssh_allowed_hosts is defined %}
-# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
-{% for ip in iptables_ssh_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-{% else %}
-# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-{% endif %}
-{% if http_port is not defined %}
-{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-{% endif %}
-{% endif %}
-{% if http_port is defined %}
-# http
-{% if http_allowed_hosts is defined %}
-{% for ip in http_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-
-{% if https_port is defined %}
-# https
-{% if https_allowed_hosts is defined %}
-{% for ip in https_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-{% if https_managed_hosts is defined %}
-{% for rule in https_managed_hosts %}
-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
-{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-{% endif %}
-{% if psql_firewall_enabled %}
-{% if psql_db_port is defined %}
-{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
-{% if psql_global_firewall is defined %}
-{% for cidr in psql_global_firewall %}
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-{% endfor %}
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
-{% else %}
-{% if psql_db_data is defined %}
-# postgresql clients
-{% for db in psql_db_data %}
-{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-{% endfor %}
-{% endfor %}
-{% endif %}
-{% endif %}
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
-{% endif %}
-{% endif %}
-{% endif %}
-{% if mysql_firewall_enabled %}
-{% if mysql_db_port is defined %}
-{% if mysql_listen_on_ext_int %}
-# mysql clients
-{% for db in mysql_db_data %}
-{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
-{% endfor %}
-{% endfor %}
-{% endif %}
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
-{% endif %}
-{% endif %}
-{% if openldap_slapd_tcp_port is defined %}
-{% if openldap_allowed_clients is defined %}
-# LDAP
-{% for addr in openldap_allowed_clients %}
-{% if not openldap_slapd_ssl_only %}
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
-{% endif %}
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-{% if not openldap_slapd_ssl_only %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
-{% endif %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-{% if mongodb_allowed_hosts is defined %}
-# mongodb clients
-{% for ip in mongodb_allowed_hosts %}
-{% if mongodb_tcp_port is defined %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
-{% else %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT
-{% endif %}
-{% endfor %}
-{% if mongodb_tcp_port is defined %}
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
-{% else %}
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
-{% endif %}
-{% endif %}
-
-{% if docker_swarm is defined and docker_swarm %}
-{% for cidr in docker_swarm_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
-{% endfor %}
-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-
-{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
-# Someone still uses ftp
-{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
-{% for ip in vsftpd_iptables_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
-{% endfor %}
-A INPUT -m helper --helper ftp -j ACCEPT
-{% endif %}
-{% endif %}
-#
-# TODO: add the rules that block traffic from now on
-#
-{% if nagios_enabled is defined %}
-{% if nagios_enabled %}
-{% if nagios_monitoring_server_ip is defined %}
-# Nagios NRPE
-{% for ip in nagios_monitoring_server_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
-# Check ntp from the nagios server
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-{% endif %}
-{% endif %}
-{% if zabbix_agent_install is defined and zabbix_agent_install %}
-{% if zabbix_agent_passive_checks_status == "enabled" %}
-# Zabbix servers that can send passive checks
-{% for ip in zabbix_monitoring_servers %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-{% endif %}
-
-{% if configure_munin is defined %}
-{% if configure_munin %}
-{% if munin_server %}
-# Munin
-{% for ip in munin_server %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
-{% endif %}
-{% endif %}
-{% if tomcat_cluster_enabled %}
-# tomcat cluster
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
-{% if tomcat_cluster_multicast_net is defined %}
-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
-{% endif %}
-{% endif %}
-{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
-# orientdb hazelcast multicast rules
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
-{% endif %}
-# Ganglia
-{% if ganglia_enabled is defined and ganglia_enabled %}
-{% if ganglia_gmond_cluster_port is defined %}
-{% if ganglia_unicast_mode is defined %}
-{% if ganglia_unicast_mode %}
-{% for net in ganglia_unicast_networks %}
-A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-{% endfor %}
-{% else %}
-{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
-{% else %}
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-{% endif %}
-{% endif %}
-{% endif %}
-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }}  -j ACCEPT
-{% endif %}
-{% endif %}
-# Postfix
-{% if postfix_relay_server is defined %}
-{% if postfix_relay_server %}
-#
-# These are only needed on the machines that act as relay servers
-#
-{% for cidr in postfix_relay_server_permitted_networks %}
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ cidr }} -j ACCEPT
-{% endfor %}
-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
-{% else %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
-{% endif %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
-{% endif %}
-{% endif %}
-{% if postfix_relay_server is defined and not postfix_relay_server %}
-{% if postfix_relay_client is defined%}
-{% if postfix_relay_client %}
-#
-# When we are not a relay server but we want send email using our relay
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
-{% endif %}
-{% endif %}
-{% endif %}
-{% if iptables is defined %}
-{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
-# TCP rules
-{% for tcp_rule in iptables.tcp %}
-{% if tcp_rule.allowed_hosts is defined %}
-{% for ip in tcp_rule.allowed_hosts %}
-{% if ip is string %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% else %}
-{% for ip_really in ip  %}
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if iptables.udp_rules is defined and iptables.udp_rules %}
-# UDP rules
-{% for udp_rule in iptables.udp %}
-{% if udp_rule.allowed_hosts is defined %}
-{% for ip in udp_rule.allowed_hosts %}
-{% if ip is string %}
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
-{% else %}
-{% for ip_really in ip  %}
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% else %}
-A INPUT -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if iptables.any_rules is defined and iptables.any_rules %}
-# ANY rules
-{% for any_rule in iptables.any %}
-{% for ip in any_rule.allowed_hosts %}
-A INPUT -s {{ ip }} -j ACCEPT
-{% endfor %}
-{% endfor %}
-{% endif %}
-{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
-# ANY rules
-{% for any_rule in iptables.any %}
-{% for rule in any_rule.allowed_hosts %}
-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endfor %}
-{% endif %}
-# End of the custom rules
-{% endif %}
-# Prometheus exporters
-{% if prometheus_enabled is defined and prometheus_enabled %}
-{% if prometheus_servers_ip is defined %}
-{% for ip in prometheus_servers_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT
-{% endif %}
-{% endif %}
-{% if keepalived_enabled is defined and keepalived_enabled %}
-# Keepalived rules. Protocol vrrp, 112
-{% if not keepalived_use_unicast %}
-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
-{% else %}
-{% endif %}
-A INPUT -p vrrp -j ACCEPT
-A OUTPUT -p vrrp -j ACCEPT
-{% endif %}
-#
-# INPUT POLICY
-{% if iptables_input_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-A INPUT -j {{ iptables_input_default_policy }}
-{% endif %}
-#
-# FORWARD rules and POLICY
-{% if iptables_post_nat_enabled %}
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-{% for rule in iptables_nat_rules %}
-A FORWARD {{ rule.options }} -j ACCEPT
-{% endfor %}
-{% endif %}
-{% if iptables_forward_default_policy == 'REJECT' %}
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-A FORWARD -j {{ iptables_forward_default_policy }}
-{% endif %}
-COMMIT
-{% if iptables_nat_enabled %}
-# This should be obsoleted
-# NAT rules
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-{% if iptables_nat_specify_interfaces %}
-{% for int in iptables_nat_interfaces %}
-A POSTROUTING -o {{ int }} -j MASQUERADE
-{% endfor %}
-{% else %}
-A POSTROUTING  -j MASQUERADE
-{% endif %}
-COMMIT
-{% endif %}
-
-{% if iptables_post_nat_enabled %}
-# NAT rules
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-{% for rule in iptables_nat_rules %}
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
-{% endfor %}
-COMMIT
-{% endif %}
--- a/library/roles/iptables/templates/iptables-rules.v6.j2
+++ b/library/roles/iptables/templates/iptables-rules.v6.j2
@ -1,15 +0,0 @@
-#
-# {{ ansible_managed }} don't manually modify this file
-#
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-{% if iptables_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp6-addr-unreachable
-A FORWARD -j REJECT --reject-with icmp6-addr-unreachable
-{% else %}
-A INPUT -j {{ iptables_default_policy }}
-A FORWARD -j {{ iptables_default_policy }}
-{% endif %}
-COMMIT
--- a/library/roles/ubuntu-deb-general/meta/main.yml
+++ b/library/roles/ubuntu-deb-general/meta/main.yml
@ -2,7 +2,10 @@
 dependencies:
  - role: '../../library/roles/deb-apt-setup'
  - { role: '../../library/roles/ubuntu-python-setup', when: ansible_distribution_release == "trusty" }
-  - role: 'basic-system-setup'
+  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-basic-system-setup.git
+    version: master
+    name: basic-system-setup
+    state: latest
  - role: '../../library/roles/motd'
  - role: '../../library/roles/ntp'
  - role: '../../library/roles/linux-kernel-sysctl'