role firewall: add support for installation of gateway firewall - maybe not realy usable..

2021-04-01 15:57:48 +02:00 · 2021-04-01 15:57:48 +02:00 · 529e115716
commit 529e115716
parent 76fb3c68ac
6 changed files with 2344 additions and 1878 deletions
--- a/host_vars/192.168.11.182.yml
+++ b/host_vars/192.168.11.182.yml
@ -0,0 +1,127 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+ssh_keypair_backup_server:
+  - name: backup
+    backup_user: back
+    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
+    priv_key_dest: /root/.ssh/id_rsa
+    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
+    pub_key_dest: /root/.ssh/id_rsa.pub
+
+insert_root_ssh_keypair: true
+
+root_ssh_keypair:
+  - name: backup
+    login: root
+    priv_key_src: root/.ssh/id_ed25519.oopen-server
+    priv_key_dest: /root/.ssh/id_ed25519
+    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
+    pub_key_dest: /root/.ssh/id_ed25519.pub
+    target: backup.oopen.de
+
+
+default_user:
+
+  - name: chris
+    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    shell: /bin/bash
+    ssh_keys:
+     - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
+     - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
+
+  - name: sysadm
+
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    shell: /bin/bash
+    ssh_keys:
+     - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
+
+sudo_users:
+  - chris
+  - sysadm
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+apt_install_bind9_packages: true
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-gateway
+  repo: https://git.oopen.de/firewall/ipt-gateway
+  dest: /usr/local/src/ipt-gateway
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+
--- a/roles/firewall/tasks/ipt-gateway.yml
+++ b/roles/firewall/tasks/ipt-gateway.yml
@ -0,0 +1,283 @@
+---
+#  # ---
+#  # - Check if firewall repository exist
+#  # ---
+#
+#  - name: (ipt-gateway.yml) Check if firewall repository exist
+#    stat:
+#      path: '{{ git_firewall_repository.dest }}'
+#    register: git_firewall_repository_exists
+#
+#  - meta: end_host
+#    when: not git_firewall_repository_exists.stat.exists
+
+# ---
+# Create firewall config directory '/etc/ipt/firewall' if not exists
+# ---
+
+- name: (ipt-gateway.yml) Install/update firewall repository
+  git:
+    repo: '{{ git_firewall_repository.repo }}'
+    dest: '{{ git_firewall_repository.dest }}'
+  when: git_firewall_repository is defined and git_firewall_repository|length > 0
+  tags:
+    - git-firewall-repository
+
+# Exit if no firewall repository variable exists or is empty
+#
+- meta: end_host
+  when: git_firewall_repository is not defined or git_firewall_repository|length < 1
+
+- name: (ipt-gateway.yml) Create directory /etc/ipt-firewall if not exists
+  file:
+    path: /etc/ipt-firewall
+    state: directory
+
+# ---
+# Check presence of files
+# ---
+
+- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv4.conf are present
+  stat:
+    path: /etc/ipt-firewall/interfaces_ipv4.conf
+  register: interfaces_ipv4_exists
+
+- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv6.conf are present
+  stat:
+    path: /etc/ipt-firewall/interfaces_ipv6.conf
+  register: interfaces_ipv6_exists
+
+- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv4.conf' exists
+  stat:
+    path: /etc/ipt-firewall/main_ipv4.conf
+  register: main_ipv4_exists
+
+- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv6.conf' exists
+  stat:
+    path: /etc/ipt-firewall/main_ipv6.conf
+  register: main_ipv6_exists
+
+- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/ban_ipv4.list are present
+  stat:
+    path: /etc/ipt-firewall/ban_ipv4.list
+  register: ban_ipv4_exists
+
+# ---
+# Get information about network devices
+# ---
+
+- name: (ipt-gateway.yml) define traditional ethernet facts
+  set_fact:
+    ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
+  when: 
+    - not interfaces_ipv4_exists.stat.exists
+    - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
+    - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
+    - inventory_hostname not in groups['lxc_host']|string
+  with_items:
+    - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
+
+- name: (ipt-gateway.yml) define traditional bridge facts
+  set_fact:
+    ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
+  when: 
+    - not interfaces_ipv4_exists.stat.exists
+    - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
+    - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
+    - "groups['lxc_host']|string is search(inventory_hostname)"
+  with_items:
+    - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
+
+- name: (ipt-gateway.yml) Debug message IPv4
+  debug:
+     msg: 
+       - "index: {{ idx + 1 }}"
+       - "device: {{ item.device }}"
+       - "ipv4-address: {{ item.ipv4.address }}"
+  loop: "{{ ansible_netdev }}"
+  loop_control:
+    label: "{{ item.device }}"
+    index_var: idx
+  when:
+    - item.ipv4.address is defined and item.ipv4.address|length > 0
+
+- name: (ipt-gateway.yml) Debug message IPv6
+  debug:
+     msg: 
+       - "index: {{ idx + 1 }}"
+       - "device: {{ item.device }}"
+       - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}"
+  loop: "{{ ansible_netdev }}"
+  loop_control:
+    label: "{{ item.device }}"
+    index_var: idx
+  when:
+    - item.default_ipv6 is defined and item.default_ipv6|length > 0
+    - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0
+
+#- meta: end_host
+
+# ---
+# Get sshd ports
+# ---
+
+- name: (ipt-gateway.yml) Get sshd ports as blank separated list
+  set_fact:
+    fw_sshd_ports: "{{ sshd_ports | join (' ') }}"
+  when: 
+    - sshd_ports is defined and sshd_ports | length > 0
+    - sshd_ports|join() != "22"
+
+- name: (ipt-gateway.yml) Set default sshd ports
+  set_fact:
+    fw_sshd_ports: "$standard_ssh_port"
+  when: 
+    - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22"
+
+# ===
+# Update/Modify firewall
+# ===
+
+# ---
+# Host specific configuration files
+# ---
+
+# /etc/ipt-firewall/interfaces_ipv[4|6].conf
+#
+- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf'
+  command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample  /etc/ipt-firewall/interfaces_ipv4.conf
+  when: not interfaces_ipv4_exists.stat.exists
+  register: new_interfaces_ipv4
+
+
+- name: (ipt-gateway.yml) Configure interfaces_ipv4.conf 1/2
+  lineinfile:
+    path: /etc/ipt-firewall/interfaces_ipv4.conf
+    regexp: 'local_if_1='
+    line: 'local_if_1="{{ item.device }}"' 
+  register: interfaces_ipv4_device
+  loop: "{{ ansible_netdev }}"
+  loop_control:
+    label: "{{ item.device }}"
+  until:
+    - interfaces_ipv4_device is changed
+  when: 
+    - not interfaces_ipv4_exists.stat.exists
+    - new_interfaces_ipv4 is changed
+    - item.ipv4.address is defined and item.ipv4.address|length > 0
+
+# /etc/ipt-firewall/ban_ipv[4|6].list
+#
+- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/ban_ipv4.list'
+  command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample  /etc/ipt-firewall/ban_ipv4.list
+  when: not ban_ipv4_exists.stat.exists
+
+# /etc/ipt-firewall/main_ipv[4|6].conf
+#
+- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv4.conf'
+  command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample  /etc/ipt-firewall/main_ipv4.conf
+  when: not main_ipv4_exists.stat.exists
+  register: cp_main_ipv4
+
+- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv6.conf'
+  command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample  /etc/ipt-firewall/main_ipv6.conf
+  when: not main_ipv6_exists.stat.exists
+  register: cp_main_ipv6
+
+# ---
+# Host independet configuration files
+# ---
+
+- name: (ipt-gateway.yml) Check if common configuration files are latest
+  shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1'
+  changed_when: "diff_output.rc > 0"
+  # diff_output.rc
+  #    0  -> unchanged
+  #    1  -> changed
+  #    2  -> not present
+  failed_when: "diff_output.rc > 2"
+  when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
+  loop:
+     - include_functions.conf
+     - load_modules_ipv4.conf
+     - load_modules_ipv6.conf
+     - logging_ipv4.conf
+     - logging_ipv6.conf
+     - default_ports.conf
+     - post_decalrations.conf
+  register: diff_output
+
+- name: (ipt-gateway.yml) Ensure common configuration files are latest
+  command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }}
+  loop:
+     - include_functions.conf
+     - load_modules_ipv4.conf
+     - load_modules_ipv6.conf
+     - logging_ipv4.conf
+     - logging_ipv6.conf
+     - default_ports.conf
+     - post_decalrations.conf
+  when:
+    - (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
+    - diff_output.changed
+
+# ---
+# Firewall scripts
+# ---
+
+- name: (ipt-gateway.yml) Check if firewall scripts are latest
+  shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1'
+  changed_when: "diff_script_output.rc > 0"
+  # diff_output.rc
+  #    0  -> unchanged
+  #    1  -> changed
+  #    2  -> not present
+  failed_when: "diff_script_output.rc > 2"
+  when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
+  loop:
+     - ipt-firewall-gateway
+     - ip6t-firewall-gateway
+  register: diff_script_output
+
+- name: (ipt-gateway.yml) Ensure firewall scripts are latest
+  command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }}
+  loop:
+     - ipt-firewall-gateway
+     - ip6t-firewall-gateway
+  when:
+    - (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
+    - diff_script_output.changed
+
+# ---
+# Install systemd service files  ip[6]t-firewall.service
+# ---
+
+- name: (ipt-gateway.yml) Configure firewall systemd service files
+  template:
+    src: etc/systemd/system/{{ item }}-firewall.service.j2
+    dest: /etc/systemd/system/{{ item }}-firewall.service
+  register: systemd_service_files_installed
+  with_items:
+     - ipt
+     - ip6t
+
+- name: (ipt-gateway.yml) Enable firewall services IPv4
+  systemd:
+    name: (ipt-gateway.yml) ipt-firewall
+    state: stopped
+    enabled: yes
+    daemon_reload: yes
+  when: systemd_service_files_installed is changed
+  register: firewall_service_started
+
+- name: (ipt-gateway.yml) Enable firewall services IPv6
+  systemd:
+    name: (ipt-gateway.yml) ip6t-firewall
+    state: stopped
+    enabled: yes
+    daemon_reload: yes
+  when: systemd_service_files_installed is changed
+  register: firewall_service_started
+
+- meta: end_host
+  when: firewall_service_started is changed
--- a/roles/firewall/tasks/ipt-server.yml
+++ b/roles/firewall/tasks/ipt-server.yml
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
--- a/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2
+++ b/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2
@ -1,5 +1,21 @@
 # {{ ansible_managed }}

+{%- if groups['gateway_server']|string is search(inventory_hostname) %}
+[Unit]
+Description=IPv6 Firewall with ip6tables
+After=network.target
+
+[Service]
+SyslogIdentifier="ip6t-gateway"
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ip6t-firewall-gateway start
+ExecStop=/usr/local/sbin/ip6t-firewall-gateway stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
+{% else %}
 [Unit]
 Description=IPv6 Firewall with ip6tables
 After=network.target
@ -13,4 +29,5 @@ User=root

 [Install]
 WantedBy=multi-user.target
+{% endif %}

--- a/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2
+++ b/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2
@ -1,5 +1,23 @@
 # {{ ansible_managed }}

+{%- if groups['gateway_server']|string is search(inventory_hostname) %}
+
+[Unit]
+Description=IPv4 Firewall with iptables
+After=network.target
+
+[Service]
+SyslogIdentifier="ipt-gateway"
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ipt-firewall-gateway start
+ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
+{% else %}
+
 [Unit]
 Description=IPv4 Firewall with iptables
 After=network.target
@ -13,4 +31,5 @@ User=root

 [Install]
 WantedBy=multi-user.target
+{% endif %}