From 11f5c3fcb6adcb87a2f2ced2848f8707aaef0fc7 Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 5 Apr 2024 00:01:57 +0200 Subject: [PATCH] update.. --- roles/modify-ipt-server/tasks/ipt-server.yml | 262 +++++-------------- 1 file changed, 71 insertions(+), 191 deletions(-) diff --git a/roles/modify-ipt-server/tasks/ipt-server.yml b/roles/modify-ipt-server/tasks/ipt-server.yml index ab83cb2..432f8ef 100644 --- a/roles/modify-ipt-server/tasks/ipt-server.yml +++ b/roles/modify-ipt-server/tasks/ipt-server.yml @@ -16,6 +16,7 @@ when: git_firewall_repository is defined and git_firewall_repository|length > 0 + # === # Some Checks # === @@ -46,6 +47,7 @@ register: munin_node_exists + # === # Adjust/Correct some values.. # === @@ -91,6 +93,7 @@ - Restart IPv6 Firewall + # === # Add some Code Block. # === @@ -149,155 +152,6 @@ - Restart IPv6 Firewall - -- name: Check if String 'lxc_guest_ips=..' is present in interfaces_ipv4.conf - shell: grep -q -E "^lxc_guest_ips=" /etc/ipt-firewall/interfaces_ipv4.conf - register: lxc_guest_ips_interfaces_ipv4_present - when: interfaces_ipv4_exists.stat.exists - failed_when: "lxc_guest_ips_interfaces_ipv4_present.rc > 1" - changed_when: "lxc_guest_ips_interfaces_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (lxc_guest_ips) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - insertafter: '^#?\s*local_3_ip' - block: | - local_ips="$local_1_ip $local_2_ip $local_3_ip" - - - # ------------- - # --- IP-Addresses LXC Guest sSystems - # ------------- - - # for _guest in $(lxc-ls) ; do echo ; lxc-info -n $_guest | grep -E "(IP:|Name:)" ; done - - # NOT IN USE - lxc_guest_1_ip="" - # NOT IN USE - lxc_guest_2_ip="" - # NOT IN USE - lxc_guest_3_ip="" - # NOT IN USE - lxc_guest_4_ip="" - # NOT IN USE - lxc_guest_5_ip="" - # NOT IN USE - lxc_guest_6_ip="" - # NOT IN USE - lxc_guest_7_ip="" - - lxc_guest_ips="$lxc_guest_1_ip $lxc_guest_2_ip $lxc_guest_3_ip $lxc_guest_4_ip $lxc_guest_5_ip $lxc_guest_6_ip $lxc_guest_7_ip" - - marker: "# Marker set by modify-ipt-server.yml (lxc_guest_ips)" - when: - - interfaces_ipv4_exists.stat.exists - - lxc_guest_ips_interfaces_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'lxc_guest_ips=..' is present in interfaces_ipv6.conf - shell: grep -q -E "^lxc_guest_ips=" /etc/ipt-firewall/interfaces_ipv6.conf - register: lxc_guest_ips_interfaces_ipv6_present - when: interfaces_ipv6_exists.stat.exists - failed_when: "lxc_guest_ips_interfaces_ipv6_present.rc > 1" - changed_when: "lxc_guest_ips_interfaces_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (lxc_guest_ips) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - insertafter: '^#?\s*local_3_ip' - block: | - local_ips="$local_1_ip $local_2_ip $local_3_ip" - - - # ------------- - # --- IP-Addresses LXC Guest sSystems - # ------------- - - # for _guest in $(lxc-ls) ; do echo ; lxc-info -n $_guest | grep -E "(IP:|Name:)" ; done - - # NOT IN USE - lxc_guest_1_ip="" - # NOT IN USE - lxc_guest_2_ip="" - # NOT IN USE - lxc_guest_3_ip="" - # NOT IN USE - lxc_guest_4_ip="" - # NOT IN USE - lxc_guest_5_ip="" - # NOT IN USE - lxc_guest_6_ip="" - # NOT IN USE - lxc_guest_7_ip="" - - lxc_guest_ips="$lxc_guest_1_ip $lxc_guest_2_ip $lxc_guest_3_ip $lxc_guest_4_ip $lxc_guest_5_ip $lxc_guest_6_ip $lxc_guest_7_ip" - - marker: "# Marker set by modify-ipt-server.yml (lxc_guest_ips)" - when: - - interfaces_ipv6_exists.stat.exists - - lxc_guest_ips_interfaces_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -- name: Check if String 'do_not_firewall_lx_guest_systems=..' is present - shell: grep -q -E "^do_not_firewall_lx_guest_systems=" /etc/ipt-firewall/main_ipv4.conf - register: wireguard_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "wireguard_service_ipv4_present.rc > 1" - changed_when: "wireguard_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (do_not_firewall_lx_guest_systems) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*do_not_firewall_bridged_traffic' - block: | - - # ------------- - # --- Do not firewall traffic from and to LX Gust Systems - # ------------- - - # - Traffic to hosted LX containers are not firewalled here. - # - - do_not_firewall_lx_guest_systems=false - marker: "# Marker set by modify-ipt-server.yml (wireguard_service)" - when: - - main_ipv4_exists.stat.exists - - wireguard_service_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'do_not_firewall_lx_guest_systems=..' is present - shell: grep -q -E "^do_not_firewall_lx_guest_systems=" /etc/ipt-firewall/main_ipv6.conf - register: wireguard_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "wireguard_service_ipv6_present.rc > 1" - changed_when: "wireguard_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (do_not_firewall_lx_guest_systems) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*do_not_firewall_bridged_traffic' - block: | - - # ------------- - # --- Do not firewall traffic from and to LX Gust Systems - # ------------- - - # - Traffic to hosted LX containers are not firewalled here. - # - - do_not_firewall_lx_guest_systems=false - marker: "# Marker set by modify-ipt-server.yml (wireguard_service)" - when: - - main_ipv6_exists.stat.exists - - wireguard_service_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # --- # Mattermost (MM) Service (add a block) # --- @@ -365,48 +219,6 @@ -# --- -# Per IP Connection Limit (add a line) -# --- - -- name: Check if String 'per_IP_connection_limit=..' is present - shell: grep -q -E "^per_IP_connection_limit=" /etc/ipt-firewall/main_ipv4.conf - register: per_ip_connection_limit_settings_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "per_ip_connection_limit_settings_ipv4_present.rc > 1" - changed_when: "per_ip_connection_limit_settings_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*limit_connections_per_source_IP' - line: per_IP_connection_limit=$default_per_IP_connection_limit - when: - - main_ipv4_exists.stat.exists - - per_ip_connection_limit_settings_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'per_IP_connection_limit=..' is present - shell: grep -q -E "^per_IP_connection_limit=" /etc/ipt-firewall/main_ipv6.conf - register: per_ip_connection_limit_settings_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "per_ip_connection_limit_settings_ipv6_present.rc > 1" - changed_when: "per_ip_connection_limit_settings_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*limit_connections_per_source_IP' - line: per_IP_connection_limit=$default_per_IP_connection_limit - when: - - main_ipv6_exists.stat.exists - - per_ip_connection_limit_settings_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - # === # Remove Marker set by blockinfile # === @@ -449,6 +261,56 @@ when: - interfaces_ipv6_exists.stat.exists + + +# === +# Add Code Line. +# === + + +# --- +# Per IP Connection Limit (add a line) +# --- + +- name: Check if String 'per_IP_connection_limit=..' is present + shell: grep -q -E "^per_IP_connection_limit=" /etc/ipt-firewall/main_ipv4.conf + register: per_ip_connection_limit_settings_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "per_ip_connection_limit_settings_ipv4_present.rc > 1" + changed_when: "per_ip_connection_limit_settings_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*limit_connections_per_source_IP' + line: per_IP_connection_limit=$default_per_IP_connection_limit + when: + - main_ipv4_exists.stat.exists + - per_ip_connection_limit_settings_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'per_IP_connection_limit=..' is present + shell: grep -q -E "^per_IP_connection_limit=" /etc/ipt-firewall/main_ipv6.conf + register: per_ip_connection_limit_settings_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "per_ip_connection_limit_settings_ipv6_present.rc > 1" + changed_when: "per_ip_connection_limit_settings_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings) + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*limit_connections_per_source_IP' + line: per_IP_connection_limit=$default_per_IP_connection_limit + when: + - main_ipv6_exists.stat.exists + - per_ip_connection_limit_settings_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + + # === # Confiuration Files # === @@ -490,6 +352,8 @@ - Restart IPv4 Firewall - Restart IPv6 Firewall + + # === # Firewall scripts # === @@ -521,3 +385,19 @@ - Restart IPv4 Firewall - Restart IPv6 Firewall + + +# === +# Delete files that are no longer required +# === + +- name: Delete file '/etc/ipt-firewall/default_ports.conf' .. + file: + state: absent + path: /etc/ipt-firewall/default_ports.conf + +- name: Delete file '/etc/ipt-firewall/ports.conf' .. + file: + state: absent + path: /etc/ipt-firewall/ports.conf +