diff --git a/host_vars/192.168.11.182.yml b/host_vars/192.168.11.182.yml new file mode 100644 index 0000000..561a917 --- /dev/null +++ b/host_vars/192.168.11.182.yml @@ -0,0 +1,127 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: backup + login: root + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +apt_install_bind9_packages: true + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/roles/firewall/tasks/ipt-gateway.yml b/roles/firewall/tasks/ipt-gateway.yml new file mode 100644 index 0000000..6610151 --- /dev/null +++ b/roles/firewall/tasks/ipt-gateway.yml @@ -0,0 +1,283 @@ +--- +# # --- +# # - Check if firewall repository exist +# # --- +# +# - name: (ipt-gateway.yml) Check if firewall repository exist +# stat: +# path: '{{ git_firewall_repository.dest }}' +# register: git_firewall_repository_exists +# +# - meta: end_host +# when: not git_firewall_repository_exists.stat.exists + +# --- +# Create firewall config directory '/etc/ipt/firewall' if not exists +# --- + +- name: (ipt-gateway.yml) Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository|length > 0 + tags: + - git-firewall-repository + +# Exit if no firewall repository variable exists or is empty +# +- meta: end_host + when: git_firewall_repository is not defined or git_firewall_repository|length < 1 + +- name: (ipt-gateway.yml) Create directory /etc/ipt-firewall if not exists + file: + path: /etc/ipt-firewall + state: directory + +# --- +# Check presence of files +# --- + +- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv4.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + +- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv6.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + +- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + +- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + +- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/ban_ipv4.list are present + stat: + path: /etc/ipt-firewall/ban_ipv4.list + register: ban_ipv4_exists + +# --- +# Get information about network devices +# --- + +- name: (ipt-gateway.yml) define traditional ethernet facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' + - inventory_hostname not in groups['lxc_host']|string + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + +- name: (ipt-gateway.yml) define traditional bridge facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' + - "groups['lxc_host']|string is search(inventory_hostname)" + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + +- name: (ipt-gateway.yml) Debug message IPv4 + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv4-address: {{ item.ipv4.address }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - item.ipv4.address is defined and item.ipv4.address|length > 0 + +- name: (ipt-gateway.yml) Debug message IPv6 + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - item.default_ipv6 is defined and item.default_ipv6|length > 0 + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 + +#- meta: end_host + +# --- +# Get sshd ports +# --- + +- name: (ipt-gateway.yml) Get sshd ports as blank separated list + set_fact: + fw_sshd_ports: "{{ sshd_ports | join (' ') }}" + when: + - sshd_ports is defined and sshd_ports | length > 0 + - sshd_ports|join() != "22" + +- name: (ipt-gateway.yml) Set default sshd ports + set_fact: + fw_sshd_ports: "$standard_ssh_port" + when: + - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" + +# === +# Update/Modify firewall +# === + +# --- +# Host specific configuration files +# --- + +# /etc/ipt-firewall/interfaces_ipv[4|6].conf +# +- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf + when: not interfaces_ipv4_exists.stat.exists + register: new_interfaces_ipv4 + + +- name: (ipt-gateway.yml) Configure interfaces_ipv4.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: 'local_if_1=' + line: 'local_if_1="{{ item.device }}"' + register: interfaces_ipv4_device + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv4_device is changed + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + - item.ipv4.address is defined and item.ipv4.address|length > 0 + +# /etc/ipt-firewall/ban_ipv[4|6].list +# +- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list + when: not ban_ipv4_exists.stat.exists + +# /etc/ipt-firewall/main_ipv[4|6].conf +# +- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf + when: not main_ipv4_exists.stat.exists + register: cp_main_ipv4 + +- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf + when: not main_ipv6_exists.stat.exists + register: cp_main_ipv6 + +# --- +# Host independet configuration files +# --- + +- name: (ipt-gateway.yml) Check if common configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_output.rc > 2" + when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0) + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + register: diff_output + +- name: (ipt-gateway.yml) Ensure common configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + when: + - (git_firewall_repository is defined) and (git_firewall_repository|length > 0) + - diff_output.changed + +# --- +# Firewall scripts +# --- + +- name: (ipt-gateway.yml) Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0) + loop: + - ipt-firewall-gateway + - ip6t-firewall-gateway + register: diff_script_output + +- name: (ipt-gateway.yml) Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-gateway + - ip6t-firewall-gateway + when: + - (git_firewall_repository is defined) and (git_firewall_repository|length > 0) + - diff_script_output.changed + +# --- +# Install systemd service files ip[6]t-firewall.service +# --- + +- name: (ipt-gateway.yml) Configure firewall systemd service files + template: + src: etc/systemd/system/{{ item }}-firewall.service.j2 + dest: /etc/systemd/system/{{ item }}-firewall.service + register: systemd_service_files_installed + with_items: + - ipt + - ip6t + +- name: (ipt-gateway.yml) Enable firewall services IPv4 + systemd: + name: (ipt-gateway.yml) ipt-firewall + state: stopped + enabled: yes + daemon_reload: yes + when: systemd_service_files_installed is changed + register: firewall_service_started + +- name: (ipt-gateway.yml) Enable firewall services IPv6 + systemd: + name: (ipt-gateway.yml) ip6t-firewall + state: stopped + enabled: yes + daemon_reload: yes + when: systemd_service_files_installed is changed + register: firewall_service_started + +- meta: end_host + when: firewall_service_started is changed diff --git a/roles/firewall/tasks/ipt-server.yml b/roles/firewall/tasks/ipt-server.yml new file mode 100644 index 0000000..bdc5ba3 --- /dev/null +++ b/roles/firewall/tasks/ipt-server.yml @@ -0,0 +1,1884 @@ +--- +# # --- +# # - Check if firewall repository exist +# # --- +# +# - name: Check if firewall repository exist +# stat: +# path: '{{ git_firewall_repository.dest }}' +# register: git_firewall_repository_exists +# +# - meta: end_host +# when: not git_firewall_repository_exists.stat.exists + +# --- +# Create firewall config directory '/etc/ipt/firewall' if not exists +# --- + +- name: Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository|length > 0 + tags: + - git-firewall-repository + +# Exit if no firewall repository variable exists or is empty +# +- meta: end_host + when: git_firewall_repository is not defined or git_firewall_repository|length < 1 + +- name: Create directory /etc/ipt-firewall if not exists + file: + path: /etc/ipt-firewall + state: directory + +# --- +# Check presence of files +# --- + +- name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + +- name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + +- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + +- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + +- name: Check if /etc/ipt-firewall/ban_ipv4.list are present + stat: + path: /etc/ipt-firewall/ban_ipv4.list + register: ban_ipv4_exists + +- name: Check if /etc/ipt-firewall/ban_ipv6.list are present + stat: + path: /etc/ipt-firewall/ban_ipv6.list + register: ban_ipv6_exists + +# --- +# Get information about network devices +# --- + +- name: define traditional ethernet facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' + - inventory_hostname not in groups['lxc_host']|string + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + +- name: define traditional bridge facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' + - "groups['lxc_host']|string is search(inventory_hostname)" + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + +- name: Debug message IPv4 + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv4-address: {{ item.ipv4.address }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - item.ipv4.address is defined and item.ipv4.address|length > 0 + +- name: Debug message IPv6 + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - item.default_ipv6 is defined and item.default_ipv6|length > 0 + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 + +#- meta: end_host + +# --- +# Get sshd ports +# --- + +- name: Get sshd ports as blank separated list + set_fact: + fw_sshd_ports: "{{ sshd_ports | join (' ') }}" + when: + - sshd_ports is defined and sshd_ports | length > 0 + - sshd_ports|join() != "22" + +- name: Set default sshd ports + set_fact: + fw_sshd_ports: "$standard_ssh_port" + when: + - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" + +# === +# Modify main_ipv[4|].conf - add port definitionios +# === + +# --- +# Allow local Services from given (extern) network +# --- + +- name: Check if String 'allow_local_service_from_networks=..' is present + shell: grep -q -E "^allow_local_service_from_networks=" /etc/ipt-firewall/main_ipv4.conf + register: allow_local_service_from_networks_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "allow_local_service_from_networks_ipv4_present.rc > 1" + changed_when: "allow_local_service_from_networks_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_local_service_from_networks) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*allow_local_service' + block: | + + # ------------- + # ---- Allow local Services from given (extern) network + # ------------- + + # - allow_local_service_from_networks + # - + # - allow_local_service_from_networks=" [: [.." + # - + # - Allow all traffic to given local service from given (extern) network + # - + # - Example: + # - allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp" + # - + # - Blank separated list + # - + allow_local_service_from_networks="" + marker: "# Marker set by modify-ipt-server.yml (allow_local_service_from_networks)" + when: + - main_ipv4_exists.stat.exists + - allow_local_service_from_networks_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'allow_local_service_from_networks=..' is present + shell: grep -q -E "^allow_local_service_from_networks=" /etc/ipt-firewall/main_ipv6.conf + register: allow_local_service_from_networks_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "allow_local_service_from_networks_ipv6_present.rc > 1" + changed_when: "allow_local_service_from_networks_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_local_service_from_networks) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*allow_local_service' + block: | + + # ------------- + # ---- Allow local Services from given (extern) network + # ------------- + + # - allow_local_service_from_networks + # - + # - allow_local_service_from_networks=" [, [.." + # - + # - Allow all traffic to given local service from given (extern) network + # - + # - Example: + # - allow_local_service="2001:678:a40:3000::/64,8443,tcp 2001:678:a40:3000::/64,8080,tcp" + # - + # - Blank separated list + # - + allow_local_service_from_networks="" + marker: "# Marker set by modify-ipt-server.yml (allow_local_service_from_networks)" + when: + - main_ipv6_exists.stat.exists + - allow_local_service_from_networks_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + +# --- +# vpn_ports +# --- + +- name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf + register: vpn_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "vpn_ports_ipv4_present.rc > 1" + changed_when: "vpn_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv4_exists.stat.exists + - vpn_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf + register: vpn_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "vpn_ports_ipv6_present.rc > 1" + changed_when: "vpn_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv6_exists.stat.exists + - vpn_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# support local NTP Service +# --- + +- name: Check if String 'local_ntp_service..' is present + shell: grep -q -E "^local_ntp_service" /etc/ipt-firewall/main_ipv4.conf + register: local_ntp_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "local_ntp_service_ipv4_present.rc > 1" + changed_when: "local_ntp_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_ntp_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*vpn_ports' + block: | + # local NTP Server + # + local_ntp_service=false + + # NPT Port used by local service + # + ntp_port="$standard_ntp_port" + + # Network allowed for NTP requests + # + # Note: if not set no port will be open! + # + ntp_allowed_net="" + marker: "# Marker set by modify-ipt-server.yml (local_ntp_service)" + when: + - main_ipv4_exists.stat.exists + - local_ntp_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'local_ntp_service..' is present + shell: grep -q -E "^local_ntp_service" /etc/ipt-firewall/main_ipv6.conf + register: local_ntp_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "local_ntp_service_ipv6_present.rc > 1" + changed_when: "local_ntp_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_ntp_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*vpn_ports' + block: | + # local NTP Server + # + local_ntp_service=false + + # NPT Port used by local service + # + ntp_port="$standard_ntp_port" + + # Network allowed for NTP requests + # + # Note: if not set no port will be open! + # + ntp_allowed_net="" + marker: "# Marker set by modify-ipt-server.yml (local_ntp_service)" + when: + - main_ipv6_exists.stat.exists + - local_ntp_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# support local DNS Resolver +# --- + +- name: Check if String 'local_resolver_service..' is present + shell: grep -q -E "^local_resolver_service" /etc/ipt-firewall/main_ipv4.conf + register: local_resolver_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "local_resolver_service_ipv4_present.rc > 1" + changed_when: "local_resolver_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_resolver_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_dns_server_ips' + block: | + # - local DNS Resolver + # - + local_resolver_service=false + + # - Resolover Port used by local service + # - + resolver_port="$standard_dns_port" + + # - Network allowed for DNS requests + # - + # - Note: if not set no port will be open! + # - + # - Example: + # - resolver_allowed_networks="192.68.11.64/27 194.150.169.139" + # - + resolver_allowed_networks="" + + marker: "# Marker set by modify-ipt-server.yml (local_resolver_service)" + when: + - main_ipv4_exists.stat.exists + - local_resolver_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'local_resolver_service..' is present + shell: grep -q -E "^local_resolver_service" /etc/ipt-firewall/main_ipv6.conf + register: local_resolver_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "local_resolver_service_ipv6_present.rc > 1" + changed_when: "local_resolver_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_resolver_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_dns_server_ips' + block: | + # - local DNS Resolver + # - + local_resolver_service=false + + # - Resolover Port used by local service + # - + resolver_port="$standard_dns_port" + + # - Network allowed for DNS requests + # - + # - Note: if not set no port will be open! + # - + # - Example: + # - resolver_allowed_net="2001:678:a40:3000::/64 2001:678:a40:4000::/64" + # - + resolver_allowed_networks="" + + marker: "# Marker set by modify-ipt-server.yml (local_resolver_service)" + when: + - main_ipv6_exists.stat.exists + - local_resolver_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# ssh_ports +# --- + +- name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf + register: ssh_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ssh_ports_ipv4_present.rc > 1" + changed_when: "ssh_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="{{ fw_sshd_ports }}" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv4_exists.stat.exists + - ssh_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf + register: ssh_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ssh_ports_ipv6_present.rc > 1" + changed_when: "ssh_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="{{ fw_sshd_ports }}" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv6_exists.stat.exists + - ssh_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# http_ports +# --- + +- name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf + register: http_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv4_present.rc > 1" + changed_when: "http_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv4_exists.stat.exists + - http_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf + register: http_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv6_present.rc > 1" + changed_when: "http_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv6_exists.stat.exists + - http_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# mail_user_ports +# --- + +- name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mail_user_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv4_present.rc > 1" + changed_when: "mail_user_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv4_exists.stat.exists + - mail_user_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mail_user_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv6_present.rc > 1" + changed_when: "mail_user_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv6_exists.stat.exists + - mail_user_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# dovecot_auth_service +# --- + +- name: Check if String 'dovecot_auth_service=..' is present + shell: grep -q -E "^dovecot_auth_service=" /etc/ipt-firewall/main_ipv4.conf + register: dovecot_auth_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "dovecot_auth_service_ipv4_present.rc > 1" + changed_when: "dovecot_auth_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (dovecot_auth_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mail_client_ips' + block: | + + # - Dovecot auth service + # - + dovecot_auth_service=false + + # - Port listen for dovecot auth requests + # - + dovecot_auth_port=44444 + + # - Client Network(s) allowed to connect to dovecot's auth service + # - + # - Example: + # - dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139" + # - + dovecot_auth_allowed_networks="" + marker: "# Marker set by modify-ipt-server.yml (dovecot_auth_service)" + when: + - main_ipv4_exists.stat.exists + - dovecot_auth_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'dovecot_auth_service=..' is present + shell: grep -q -E "^dovecot_auth_service=" /etc/ipt-firewall/main_ipv6.conf + register: dovecot_auth_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "dovecot_auth_service_ipv6_present.rc > 1" + changed_when: "dovecot_auth_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (dovecot_auth_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mail_client_ips' + block: | + + # - (local) Dovecot auth service + # - + dovecot_auth_service=false + + # - Port listen for dovecot auth requests + # - + dovecot_auth_port=44444 + + # - Client Network(s) allowed to connect to dovecot's auth service + # - + # - Example: + # - dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7" + # - + dovecot_auth_allowed_networks="" + marker: "# Marker set by modify-ipt-server.yml (dovecot_auth_service)" + when: + - main_ipv6_exists.stat.exists + - dovecot_auth_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# ftp_passive_port_range +# --- + +- name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf + register: ftp_passive_port_range_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv4_exists.stat.exists + - ftp_passive_port_range_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf + register: ftp_passive_port_range_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv6_exists.stat.exists + - ftp_passive_port_range_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# XMPP Service +# --- + +- name: Check if String 'xmpp_server_ips=..' is present + shell: grep -q -E "^xmpp_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: xmpp_server_ips_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "xmpp_server_ips_ipv4_present.rc > 1" + changed_when: "xmpp_server_ips_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xmpp_server_ips) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*ftp_passive_port_range' + block: | + + # - XMPP Service (Jabber - Prosody) + # - + xmpp_server_ips="" + forward_xmpp_server_ips="" + + # - Ports used by XMpp (Prosody) service + # - + # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt + # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) + # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern + # - + # - WebSocket (support is provided by mod_websocket) + # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) + # - + xmmp_tcp_in_ports="5222 5223 5269" + xmmp_tcp_out_ports="5269" + + # - XMPP Remote Dovecote Out Service + # - + # - Example: + # - xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444" + # - + xmmp_remote_out_services="" + + marker: "# Marker set by modify-ipt-server.yml (xmpp_server_ips)" + when: + - main_ipv4_exists.stat.exists + - xmpp_server_ips_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'xmpp_server_ips=..' is present + shell: grep -q -E "^xmpp_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: xmpp_server_ips_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "xmpp_server_ips_ipv6_present.rc > 1" + changed_when: "xmpp_server_ips_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xmpp_server_ips) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*ftp_passive_port_range' + block: | + + # - XMPP Service (Jabber - Prosody) + # - + xmpp_server_ips="" + forward_xmpp_server_ips="" + + # - Ports used by XMpp (Prosody) service + # - + # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt + # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) + # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern + # - + # - WebSocket (support is provided by mod_websocket) + # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) + # - + xmmp_tcp_in_ports="5222 5223 5269" + xmmp_tcp_out_ports="5269" + + # - XMPP Remote Dovecote Out Service + # - + # - Example: + # - xmmp_remote_out_services=" + # - 2a01:4f8:221:3b4e::247,44444 + # - 2a01:30:0:13:2f7:50ff:fed2:cef7,44444 + # - " + # - + xmmp_remote_out_services="" + + marker: "# Marker set by modify-ipt-server.yml (xmpp_server_ips)" + when: + - main_ipv6_exists.stat.exists + - xmpp_server_ips_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# munin_remote_port +# --- + +- name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf + register: munin_remote_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv4_present.rc > 1" + changed_when: "munin_remote_port_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Port used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv4_exists.stat.exists + - munin_remote_port_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf + register: munin_remote_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv6_present.rc > 1" + changed_when: "munin_remote_port_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Ports used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv6_exists.stat.exists + - munin_remote_port_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# xymon_port +# --- + +- name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf + register: xymon_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv4_present.rc > 1" + changed_when: "xymon_port_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv4_exists.stat.exists + - xymon_port_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf + register: xymon_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv6_present.rc > 1" + changed_when: "xymon_port_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv6_exists.stat.exists + - xymon_port_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# mumble_ports +# --- + +- name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mumble_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv4_present.rc > 1" + changed_when: "mumble_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv4_exists.stat.exists + - mumble_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + +- name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mumble_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "mumble_ports_ipv6_present.rc > 1" + changed_when: "mumble_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv6_exists.stat.exists + - mumble_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + +# --- +# Portforwarding +# --- + +- name: Check if String 'portforward_tcp=..' (IPv4) is present + shell: grep -q -E "^portforward_tcp=" /etc/ipt-firewall/main_ipv4.conf + register: portforward_tcp_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "portforward_tcp_ipv4_present.rc > 1" + changed_when: "portforward_tcp_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (portforward_tcp) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_udp_out_ports' + block: | + + # ============= + # --- Portforwarding + # ============= + + # - Portforwarding TCP + # - + # - portforward_tcp="::::" + # - + # - Multiple declarations (blank separated list) are possible + # - + # - Example: + # - portforward_tcp="${ext_if_1}:83.223.86.95:9997:192.168.52.25:22 + # - ${ext_if_1}:${ext_1_ip}:80:83.223.86.98:80 + # - ${ext_if_1}:${ext_1_ip}:443:83.223.86.98:443 + # - " + # - + # - Note! + # - be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES. + # - + # - Blank separated list + # - + portforward_tcp="" + + + # - Portforwarding UDP + # - + # - portforward_udp="::::" + # - + # - Multiple declarations (blank separated list) are possible + # - + # - Example: + # - portforward_udp=" + # - ${ext_if_1}:${ext_1_ip}:1194:192.168.52.25:1194 + # - ${ext_if_1}:${ext_1_ip}:1195:192.168.53.24:1195 + # - " + # - + # - Blank separated list + # - + portforward_udp="" + + marker: "# Marker set by modify-ipt-server.yml (portforward_tcp)" + when: + - main_ipv4_exists.stat.exists + - portforward_tcp_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'portforward_tcp=..' (IPv6) is present + shell: grep -q -E "^portforward_tcp=" /etc/ipt-firewall/main_ipv6.conf + register: portforward_tcp_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "portforward_tcp_ipv6_present.rc > 1" + changed_when: "portforward_tcp_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_udp_out_ports' + block: | + + # ============= + # --- Portforwarding + # ============= + + # - Portforwarding TCP + # - + # - portforward_tcp=",,,," + # - + # - Multiple declarations (blank separated list) are possible + # - + # - Example: + # - portforward_tcp="${ext_if_1},${ext_1_ip},9997,2a01:30:0:13:5054:ff:fe83:dbda,c22 + # - ${ext_if_1},${ext_1_ip},80,2a01:30:0:13:211:84ff:feb7:7f9c,80 + # - ${ext_if_1},2a01:30:0:13:2d1:2bff:fec1:aed0,80,2a01:30:0:13:211:84ff:feb7:7f9c,80 + # - ${ext_if_1},2a01:30:0:13:2d1:2bff:fec1:aed0,443,2a01:30:0:13:211:84ff:feb7:7f9c,443 + # - " + # - + # - Note! + # - be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES. + # - + # - Blank separated list + # - + portforward_tcp="" + + + # - Portforwarding UDP + # - + # - portforward_udp=",,,," + # - + # - Multiple declarations (blank separated list) are possible + # - + # - Example: + # - portforward_udp=" + # - ${ext_if_1},${ext_1_ip},1094,,1094 + # - ${ext_if_1},${ext_1_ip},1095,,1095 + # - " + # - + # - Blank separated list + # - + portforward_udp="" + + marker: "# Marker set by modify-ipt-server.yml (portforward_tcp)" + when: + - main_ipv6_exists.stat.exists + - portforward_tcp_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + +# --- +# Remove Marker set by blockinfile +# --- + +- name: Remove marker IPv4 + replace : + path: /etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + +- name: Remove marker IPv6 + replace : + path: /etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists + + +# === +# Update/Modify firewall +# === + +# --- +# Host specific configuration files +# --- + +# /etc/ipt-firewall/interfaces_ipv[4|6].conf +# +- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf + when: not interfaces_ipv4_exists.stat.exists + register: new_interfaces_ipv4 + + +- name: Configure interfaces_ipv4.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^ext_if_1=' + line: 'ext_if_1="{{ item.device }}"' + register: interfaces_ipv4_device + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv4_device is changed + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + - item.ipv4.address is defined and item.ipv4.address|length > 0 + +- name: Configure interfaces_ipv4.conf 2/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^ext_1_ip=' + line: 'ext_1_ip="{{ item.ipv4.address }}"' + register: interfaces_ipv4_ip + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv4_ip is changed + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + - item.ipv4.address is defined and item.ipv4.address|length > 0 + +- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf + when: not interfaces_ipv6_exists.stat.exists + register: new_interfaces_ipv6 + +- name: Configure interfaces_ipv6.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^ext_if_1=' + line: 'ext_if_1="{{ item.device }}"' + register: interfaces_ipv6_device + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv6_device is changed + when: + - not interfaces_ipv6_exists.stat.exists + - new_interfaces_ipv6 is changed + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 + +- name: Configure interfaces_ipv6.conf 2/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^ext_1_ip=' + #line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }} {{ item.ipv6.1.address | default('') }}"' + line: "ext_1_ip=\"{{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}\"" + register: interfaces_ipv6_ip + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + until: + - interfaces_ipv6_ip is changed + when: + - not interfaces_ipv6_exists.stat.exists + - new_interfaces_ipv6 is changed + - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 + - item.ipv6.1.address is defined and item.ipv6.1.address|length > 0 + +# /etc/ipt-firewall/ban_ipv[4|6].list +# +- name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list + when: not ban_ipv4_exists.stat.exists + +- name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list + when: not ban_ipv6_exists.stat.exists + +# /etc/ipt-firewall/main_ipv[4|6].conf +# +- name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf + when: not main_ipv4_exists.stat.exists + register: cp_main_ipv4 + +- name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf + when: not main_ipv6_exists.stat.exists + register: cp_main_ipv6 + +# --- +# Configure main_ipv4.conf +# --- + +# - Firewall Bridged Traffic ? + +- name: Configure main_ipv4.conf (do_not_firewall_bridged_traffic - lxc_host) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*do_not_firewall_bridged_traffic' + line: do_not_firewall_bridged_traffic=true + state: present + when: + - inventory_hostname in groups['lxc_host'] + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (do_not_firewall_bridged_traffic - other) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*do_not_firewall_bridged_traffic' + line: do_not_firewall_bridged_traffic=false + state: present + when: + - inventory_hostname not in groups['lxc_host'] + notify: + - Restart IPv4 Firewall + +# - DNS Service + +- name: Configure main_ipv4.conf (dns_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dns_server_ips' + line: dns_server_ips="$ext_ips" + state: present + when: + - "groups['dns_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - (local) Resolver + +- name: Configure main_ipv4.conf (local_resolver_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*local_resolver_service' + line: local_resolver_service=true + state: present + when: + - "groups['local_resolver']|string is search(inventory_hostname)" + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (resolver_allowed_networks) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*resolver_allowed_networks' + line: resolver_allowed_networks="{{ (resolver_allowed_ipv4_networks | join(' ')) | default(omit) }}" + state: present + when: + - "groups['local_resolver']|string is search(inventory_hostname)" + notify: + - Restart IPv4 Firewall + +# - NTP Service + +- name: Configure main_ipv4.conf (local_ntp_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*local_ntp_service' + line: local_ntp_service=true + state: present + when: + - "groups['ntp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (ntp_allowed_net) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*local_ntp_service' + line: 'ntp_allowed_net="{{ ntp_allowed_ipv4_net | default(omit) }"' + state: present + when: + - "groups['ntp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +# - SSH Service + +- name: Configure main_ipv4.conf (ssh_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*ssh_server_ips' + line: ssh_server_ips="$ext_ips" + state: present + when: + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - HTTP Server + +- name: Configure main_ipv4.conf (http_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*http_server_ips=' + line: http_server_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - Mail Client Protocols + +- name: Configure main_ipv4.conf (mail_client_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mail_client_ips=' + line: mail_client_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - Mal Server + +- name: Configure main_ipv4.conf (smtpd_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*smtpd_ips=' + line: smtpd_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +- name: Configure main_ipv4.conf (mail_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mail_server_ips=' + line: mail_server_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + +# - Dovecot auth service + +- name: Configure main_ipv4.conf (dovecot_auth_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dovecot_auth_service=' + line: dovecot_auth_service=true + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv4 == true + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (dovecot_auth_port) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dovecot_auth_port=' + line: dovecot_auth_port={{ dovecot_auth_service_port | default(omit) }} + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv4 == true + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (dovecot_auth_allowed_networks) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dovecot_auth_allowed_networks=' + line: dovecot_auth_allowed_networks="{{ (dovecot_auth_allowed_network_ipv4 | join(' ')) | default(omit) }}" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv4 == true + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +# - FTP Service + +- name: Configure main_ipv4.conf (ftp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*ftp_server_ips=' + line: ftp_server_ips="$ext_1_ip" + state: present + when: + - "groups['ftp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - XMPP Service + +- name: Configure main_ipv4.conf (xmpp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*xmpp_server_ips=' + line: xmpp_server_ips="$ext_1_ip" + state: present + when: + - "groups['xmpp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + notify: + - Restart IPv4 Firewall + +- name: Configure main_ipv4.conf (xmmp_remote_out_services) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*xmmp_remote_out_services=' + line: 'xmmp_remote_out_services="{{ xmpp_dovecot_auth_service_ipv4 | default(omit) }}"' + state: present + when: + - "groups['xmpp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + - xmpp_has_dovecot_auth == true + notify: + - Restart IPv4 Firewall + +# - Mumble + +- name: Configure main_ipv4.conf (mumble_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mumble_server_ips=' + line: mumble_server_ips="$ext_1_ip" + state: present + when: + - "groups['mumble_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + +# - Munin Remote IP + +- name: Configure main_ipv4.conf (munin_remote_ip) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*munin_remote_ip=' + line: 'munin_remote_ip="{{ munin_remote_ipv4 }}"' + state: present + notify: + - Restart IPv4 Firewall + +# --- +# Configure main_ipv6.conf +# --- + +# - Firewall Bridged Traffic ? + +- name: Configure main_ipv6.conf (do_not_firewall_bridged_traffic - lxc_host) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*do_not_firewall_bridged_traffic' + line: do_not_firewall_bridged_traffic=true + state: present + when: + - inventory_hostname in groups['lxc_host'] + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (do_not_firewall_bridged_traffic - other) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*do_not_firewall_bridged_traffic' + line: do_not_firewall_bridged_traffic=false + state: present + when: + - inventory_hostname not in groups['lxc_host'] + notify: + - Restart IPv6 Firewall + +# - DNS Service + +- name: Configure main_ipv6.conf (dns_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dns_server_ips' + line: dns_server_ips="$ext_ips" + state: present + when: + - "groups['dns_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +# - (local) Resolver + +- name: Configure main_ipv6.conf (local_resolver_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*local_resolver_service' + line: local_resolver_service=true + state: present + when: + - "groups['local_resolver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (resolver_allowed_networks) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*resolver_allowed_networks' + line: resolver_allowed_networks="{{ (resolver_allowed_ipv6_networks | join(' ')) | default(omit) }}" + state: present + when: + - "groups['local_resolver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +# - NTP Service + +- name: Configure main_ipv6.conf (local_ntp_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*local_ntp_service' + line: local_ntp_service=true + state: present + when: + - "groups['ntp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (ntp_allowed_net) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*local_ntp_service' + line: 'ntp_allowed_net="{{ ntp_allowed_ipv6_net }"' + state: present + when: + - "groups['ntp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +#- SSH Service + +- name: Configure main_ipv6.conf (ssh_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*ssh_server_ips' + line: ssh_server_ips="$ext_ips" + state: present + when: + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - HTTP Service + +- name: Configure main_ipv6.conf (http_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*http_server_ips=' + line: http_server_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - Mail Client Protocolls + +- name: Configure main_ipv6.conf (mail_client_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mail_client_ips=' + line: mail_client_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - Mail Server + +- name: Configure main_ipv6.conf (smtpd_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*smtpd_ips=' + line: smtpd_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +- name: Configure main_ipv6.conf (mail_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mail_server_ips=' + line: mail_server_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - Dovecot auth service + +- name: Configure main_ipv6.conf (dovecot_auth_service) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dovecot_auth_service=' + line: dovecot_auth_service=true + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv6 == true + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (dovecot_auth_port) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dovecot_auth_port=' + line: dovecot_auth_port={{ dovecot_auth_service_port | default(omit) }} + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv6 == true + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (dovecot_auth_allowed_networks) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dovecot_auth_allowed_networks=' + line: dovecot_auth_allowed_networks="{{ (dovecot_auth_allowed_network_ipv6 | join(' ')) | default(omit) }}" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - has_dovecot_auth_service_ipv6 == true + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + notify: + - Restart IPv6 Firewall + +# - FTP Service + +- name: Configure main_ipv6.conf (ftp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*ftp_server_ips=' + line: ftp_server_ips="$ext_1_ip" + state: present + when: + - "groups['ftp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - XMPP Service + +- name: Configure main_ipv6.conf (xmpp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*xmpp_server_ips=' + line: xmpp_server_ips="$ext_1_ip" + state: present + when: + - "groups['xmpp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + - xmpp_has_dovecot_auth == true + notify: + - Restart IPv6 Firewall + +- name: Configure main_ipv6.conf (xmmp_remote_out_services) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*xmmp_remote_out_services=' + line: 'xmmp_remote_out_services="{{ xmpp_dovecot_auth_service_ipv6 | default(omit) }}"' + state: present + when: + - "groups['xmpp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + - xmpp_has_dovecot_auth == true + notify: + - Restart IPv6 Firewall + +# - Munmble Service + +- name: Configure main_ipv6.conf (mumble_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mumble_server_ips=' + line: mumble_server_ips="$ext_1_ip" + state: present + when: + - "groups['mumble_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + +# - Munin Remote IP + +- name: Configure main_ipv6.conf (munin_remote_ip) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*munin_remote_ip=' + line: 'munin_remote_ip="{{ munin_remote_ipv6 }}"' + state: present + notify: + - Restart IPv6 Firewall + +# --- +# Host independet configuration files +# --- + +- name: Check if common configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_output.rc > 2" + when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0) + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + register: diff_output + +- name: Ensure common configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + when: + - (git_firewall_repository is defined) and (git_firewall_repository|length > 0) + - diff_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# --- +# Firewall scripts +# --- + +- name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0) + loop: + - ipt-firewall-server + - ip6t-firewall-server + register: diff_script_output + +- name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-server + - ip6t-firewall-server + when: + - (git_firewall_repository is defined) and (git_firewall_repository|length > 0) + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# --- +# Install systemd service files ip[6]t-firewall.service +# --- + +- name: Configure firewall systemd service files + template: + src: etc/systemd/system/{{ item }}-firewall.service.j2 + dest: /etc/systemd/system/{{ item }}-firewall.service + register: systemd_service_files_installed + with_items: + - ipt + - ip6t + +- name: Enable firewall services IPv4 + systemd: + name: ipt-firewall + state: stopped + enabled: yes + daemon_reload: yes + when: systemd_service_files_installed is changed + register: firewall_service_started + +- name: Enable firewall services IPv6 + systemd: + name: ip6t-firewall + state: stopped + enabled: yes + daemon_reload: yes + when: systemd_service_files_installed is changed + register: firewall_service_started + +- meta: end_host + when: firewall_service_started is changed + +# --- +# Delete unused files +# --- + +- name: Delete file /etc/ipt-firewall/ports.conf + file: + path: /etc/ipt-firewall/ports.conf + state: absent + when: systemd_service_files_installed is changed diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 5ebbe55..82b4bfb 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -1,1883 +1,19 @@ --- -# # --- -# # - Check if firewall repository exist -# # --- -# -# - name: Check if firewall repository exist -# stat: -# path: '{{ git_firewall_repository.dest }}' -# register: git_firewall_repository_exists -# -# - meta: end_host -# when: not git_firewall_repository_exists.stat.exists -# --- -# Create firewall config directory '/etc/ipt/firewall' if not exists -# --- - -- name: Install/update firewall repository - git: - repo: '{{ git_firewall_repository.repo }}' - dest: '{{ git_firewall_repository.dest }}' - when: git_firewall_repository is defined and git_firewall_repository|length > 0 +# tags supportetd inside caching-nameserver.yml +# +# apt-caching-nameserver +- import_tasks: ipt-server.yml + when: + - groups['gateway_server']|string is not search(inventory_hostname) tags: - - git-firewall-repository + - git-firewall-repository + - ipt-server + -# Exit if no firewall repository variable exists or is empty -# -- meta: end_host - when: git_firewall_repository is not defined or git_firewall_repository|length < 1 - -- name: Create directory /etc/ipt-firewall if not exists - file: - path: /etc/ipt-firewall - state: directory - -# --- -# Check presence of files -# --- - -- name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present - stat: - path: /etc/ipt-firewall/interfaces_ipv4.conf - register: interfaces_ipv4_exists - -- name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present - stat: - path: /etc/ipt-firewall/interfaces_ipv6.conf - register: interfaces_ipv6_exists - -- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv4.conf - register: main_ipv4_exists - -- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv6.conf - register: main_ipv6_exists - -- name: Check if /etc/ipt-firewall/ban_ipv4.list are present - stat: - path: /etc/ipt-firewall/ban_ipv4.list - register: ban_ipv4_exists - -- name: Check if /etc/ipt-firewall/ban_ipv6.list are present - stat: - path: /etc/ipt-firewall/ban_ipv6.list - register: ban_ipv6_exists - -# --- -# Get information about network devices -# --- - -- name: define traditional ethernet facts - set_fact: - ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" +- import_tasks: ipt-gateway.yml when: - - not interfaces_ipv4_exists.stat.exists - - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined - - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' - - inventory_hostname not in groups['lxc_host']|string - with_items: - - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - -- name: define traditional bridge facts - set_fact: - ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" - when: - - not interfaces_ipv4_exists.stat.exists - - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined - - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' - - "groups['lxc_host']|string is search(inventory_hostname)" - with_items: - - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - -- name: Debug message IPv4 - debug: - msg: - - "index: {{ idx + 1 }}" - - "device: {{ item.device }}" - - "ipv4-address: {{ item.ipv4.address }}" - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - item.ipv4.address is defined and item.ipv4.address|length > 0 - -- name: Debug message IPv6 - debug: - msg: - - "index: {{ idx + 1 }}" - - "device: {{ item.device }}" - - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}" - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - index_var: idx - when: - - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - -#- meta: end_host - -# --- -# Get sshd ports -# --- - -- name: Get sshd ports as blank separated list - set_fact: - fw_sshd_ports: "{{ sshd_ports | join (' ') }}" - when: - - sshd_ports is defined and sshd_ports | length > 0 - - sshd_ports|join() != "22" - -- name: Set default sshd ports - set_fact: - fw_sshd_ports: "$standard_ssh_port" - when: - - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" - -# === -# Modify main_ipv[4|].conf - add port definitionios -# === - -# --- -# Allow local Services from given (extern) network -# --- - -- name: Check if String 'allow_local_service_from_networks=..' is present - shell: grep -q -E "^allow_local_service_from_networks=" /etc/ipt-firewall/main_ipv4.conf - register: allow_local_service_from_networks_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "allow_local_service_from_networks_ipv4_present.rc > 1" - changed_when: "allow_local_service_from_networks_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_local_service_from_networks) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*allow_local_service' - block: | - - # ------------- - # ---- Allow local Services from given (extern) network - # ------------- - - # - allow_local_service_from_networks - # - - # - allow_local_service_from_networks=" [: [.." - # - - # - Allow all traffic to given local service from given (extern) network - # - - # - Example: - # - allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp" - # - - # - Blank separated list - # - - allow_local_service_from_networks="" - marker: "# Marker set by modify-ipt-server.yml (allow_local_service_from_networks)" - when: - - main_ipv4_exists.stat.exists - - allow_local_service_from_networks_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'allow_local_service_from_networks=..' is present - shell: grep -q -E "^allow_local_service_from_networks=" /etc/ipt-firewall/main_ipv6.conf - register: allow_local_service_from_networks_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "allow_local_service_from_networks_ipv6_present.rc > 1" - changed_when: "allow_local_service_from_networks_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_local_service_from_networks) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*allow_local_service' - block: | - - # ------------- - # ---- Allow local Services from given (extern) network - # ------------- - - # - allow_local_service_from_networks - # - - # - allow_local_service_from_networks=" [, [.." - # - - # - Allow all traffic to given local service from given (extern) network - # - - # - Example: - # - allow_local_service="2001:678:a40:3000::/64,8443,tcp 2001:678:a40:3000::/64,8080,tcp" - # - - # - Blank separated list - # - - allow_local_service_from_networks="" - marker: "# Marker set by modify-ipt-server.yml (allow_local_service_from_networks)" - when: - - main_ipv6_exists.stat.exists - - allow_local_service_from_networks_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -# --- -# vpn_ports -# --- - -- name: Check if String 'vpn_ports=..' is present - shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf - register: vpn_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "vpn_ports_ipv4_present.rc > 1" - changed_when: "vpn_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_vpn_server_ips' - block: | - # - VPN Port(s) used by local Services - # - - # - blank separated list - # - - vpn_ports="$standard_vpn_port" - - marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" - when: - - main_ipv4_exists.stat.exists - - vpn_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'vpn_ports=..' is present - shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf - register: vpn_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "vpn_ports_ipv6_present.rc > 1" - changed_when: "vpn_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_vpn_server_ips' - block: | - # - VPN Port(s) used by local Services - # - - # - blank separated list - # - - vpn_ports="$standard_vpn_port" - - marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" - when: - - main_ipv6_exists.stat.exists - - vpn_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# support local NTP Service -# --- - -- name: Check if String 'local_ntp_service..' is present - shell: grep -q -E "^local_ntp_service" /etc/ipt-firewall/main_ipv4.conf - register: local_ntp_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "local_ntp_service_ipv4_present.rc > 1" - changed_when: "local_ntp_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_ntp_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_ports' - block: | - # local NTP Server - # - local_ntp_service=false - - # NPT Port used by local service - # - ntp_port="$standard_ntp_port" - - # Network allowed for NTP requests - # - # Note: if not set no port will be open! - # - ntp_allowed_net="" - marker: "# Marker set by modify-ipt-server.yml (local_ntp_service)" - when: - - main_ipv4_exists.stat.exists - - local_ntp_service_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'local_ntp_service..' is present - shell: grep -q -E "^local_ntp_service" /etc/ipt-firewall/main_ipv6.conf - register: local_ntp_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "local_ntp_service_ipv6_present.rc > 1" - changed_when: "local_ntp_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_ntp_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_ports' - block: | - # local NTP Server - # - local_ntp_service=false - - # NPT Port used by local service - # - ntp_port="$standard_ntp_port" - - # Network allowed for NTP requests - # - # Note: if not set no port will be open! - # - ntp_allowed_net="" - marker: "# Marker set by modify-ipt-server.yml (local_ntp_service)" - when: - - main_ipv6_exists.stat.exists - - local_ntp_service_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# support local DNS Resolver -# --- - -- name: Check if String 'local_resolver_service..' is present - shell: grep -q -E "^local_resolver_service" /etc/ipt-firewall/main_ipv4.conf - register: local_resolver_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "local_resolver_service_ipv4_present.rc > 1" - changed_when: "local_resolver_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_resolver_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_dns_server_ips' - block: | - # - local DNS Resolver - # - - local_resolver_service=false - - # - Resolover Port used by local service - # - - resolver_port="$standard_dns_port" - - # - Network allowed for DNS requests - # - - # - Note: if not set no port will be open! - # - - # - Example: - # - resolver_allowed_networks="192.68.11.64/27 194.150.169.139" - # - - resolver_allowed_networks="" - - marker: "# Marker set by modify-ipt-server.yml (local_resolver_service)" - when: - - main_ipv4_exists.stat.exists - - local_resolver_service_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'local_resolver_service..' is present - shell: grep -q -E "^local_resolver_service" /etc/ipt-firewall/main_ipv6.conf - register: local_resolver_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "local_resolver_service_ipv6_present.rc > 1" - changed_when: "local_resolver_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_resolver_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_dns_server_ips' - block: | - # - local DNS Resolver - # - - local_resolver_service=false - - # - Resolover Port used by local service - # - - resolver_port="$standard_dns_port" - - # - Network allowed for DNS requests - # - - # - Note: if not set no port will be open! - # - - # - Example: - # - resolver_allowed_net="2001:678:a40:3000::/64 2001:678:a40:4000::/64" - # - - resolver_allowed_networks="" - - marker: "# Marker set by modify-ipt-server.yml (local_resolver_service)" - when: - - main_ipv6_exists.stat.exists - - local_resolver_service_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# ssh_ports -# --- - -- name: Check if String 'ssh_ports=..' is present - shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf - register: ssh_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ssh_ports_ipv4_present.rc > 1" - changed_when: "ssh_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_ssh_server_ips' - block: | - # - SSH Port(s) used by local Services - # - - # - blank separated list - # - - ssh_ports="{{ fw_sshd_ports }}" - - marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" - when: - - main_ipv4_exists.stat.exists - - ssh_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'ssh_ports=..' is present - shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf - register: ssh_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "ssh_ports_ipv6_present.rc > 1" - changed_when: "ssh_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_ssh_server_ips' - block: | - # - SSH Port(s) used by local Services - # - - # - blank separated list - # - - ssh_ports="{{ fw_sshd_ports }}" - - marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" - when: - - main_ipv6_exists.stat.exists - - ssh_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# http_ports -# --- - -- name: Check if String 'http_ports=..' is present - shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf - register: http_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "http_ports_ipv4_present.rc > 1" - changed_when: "http_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_http_server_ips' - block: | - # - HTTP(S) Ports used by local Services - # - - # - comma separated list - # - - http_ports="$standard_http_ports" - - marker: "# Marker set by modify-ipt-server.yml (http_ports)" - when: - - main_ipv4_exists.stat.exists - - http_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'http_ports=..' is present - shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf - register: http_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "http_ports_ipv6_present.rc > 1" - changed_when: "http_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_http_server_ips' - block: | - # - HTTP(S) Ports used by local Services - # - - # - comma separated list - # - - http_ports="$standard_http_ports" - - marker: "# Marker set by modify-ipt-server.yml (http_ports)" - when: - - main_ipv6_exists.stat.exists - - http_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# mail_user_ports -# --- - -- name: Check if String 'mail_user_ports=..' is present - shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf - register: mail_user_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mail_user_ports_ipv4_present.rc > 1" - changed_when: "mail_user_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mail_server_ips' - block: | - # - Client Ports used by local Mail Services - # - - # - comma separated list - # - - mail_user_ports="$standard_mailuser_ports" - - marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" - when: - - main_ipv4_exists.stat.exists - - mail_user_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'mail_user_ports=..' is present - shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf - register: mail_user_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "mail_user_ports_ipv6_present.rc > 1" - changed_when: "mail_user_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mail_server_ips' - block: | - # - Client Ports used by local Mail Services - # - - # - comma separated list - # - - mail_user_ports="$standard_mailuser_ports" - - marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" - when: - - main_ipv6_exists.stat.exists - - mail_user_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# dovecot_auth_service -# --- - -- name: Check if String 'dovecot_auth_service=..' is present - shell: grep -q -E "^dovecot_auth_service=" /etc/ipt-firewall/main_ipv4.conf - register: dovecot_auth_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "dovecot_auth_service_ipv4_present.rc > 1" - changed_when: "dovecot_auth_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (dovecot_auth_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mail_client_ips' - block: | - - # - Dovecot auth service - # - - dovecot_auth_service=false - - # - Port listen for dovecot auth requests - # - - dovecot_auth_port=44444 - - # - Client Network(s) allowed to connect to dovecot's auth service - # - - # - Example: - # - dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139" - # - - dovecot_auth_allowed_networks="" - marker: "# Marker set by modify-ipt-server.yml (dovecot_auth_service)" - when: - - main_ipv4_exists.stat.exists - - dovecot_auth_service_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'dovecot_auth_service=..' is present - shell: grep -q -E "^dovecot_auth_service=" /etc/ipt-firewall/main_ipv6.conf - register: dovecot_auth_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "dovecot_auth_service_ipv6_present.rc > 1" - changed_when: "dovecot_auth_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (dovecot_auth_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mail_client_ips' - block: | - - # - (local) Dovecot auth service - # - - dovecot_auth_service=false - - # - Port listen for dovecot auth requests - # - - dovecot_auth_port=44444 - - # - Client Network(s) allowed to connect to dovecot's auth service - # - - # - Example: - # - dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7" - # - - dovecot_auth_allowed_networks="" - marker: "# Marker set by modify-ipt-server.yml (dovecot_auth_service)" - when: - - main_ipv6_exists.stat.exists - - dovecot_auth_service_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# ftp_passive_port_range -# --- - -- name: Check if String 'ftp_passive_port_range=..' is present - shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf - register: ftp_passive_port_range_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" - changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_ftp_server_ips' - block: | - # - FTP passive port range use by local ftp service(s) - # - - # - example: ftp_passive_port_range="50000:50400" - # - - ftp_passive_port_range="50000:50400" - - marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" - when: - - main_ipv4_exists.stat.exists - - ftp_passive_port_range_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'ftp_passive_port_range=..' is present - shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf - register: ftp_passive_port_range_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" - changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_ftp_server_ips' - block: | - # - FTP passive port range use by local ftp service(s) - # - - # - example: ftp_passive_port_range="50000:50400" - # - - ftp_passive_port_range="50000:50400" - - marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" - when: - - main_ipv6_exists.stat.exists - - ftp_passive_port_range_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# XMPP Service -# --- - -- name: Check if String 'xmpp_server_ips=..' is present - shell: grep -q -E "^xmpp_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: xmpp_server_ips_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "xmpp_server_ips_ipv4_present.rc > 1" - changed_when: "xmpp_server_ips_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xmpp_server_ips) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*ftp_passive_port_range' - block: | - - # - XMPP Service (Jabber - Prosody) - # - - xmpp_server_ips="" - forward_xmpp_server_ips="" - - # - Ports used by XMpp (Prosody) service - # - - # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt - # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) - # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern - # - - # - WebSocket (support is provided by mod_websocket) - # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) - # - - xmmp_tcp_in_ports="5222 5223 5269" - xmmp_tcp_out_ports="5269" - - # - XMPP Remote Dovecote Out Service - # - - # - Example: - # - xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444" - # - - xmmp_remote_out_services="" - - marker: "# Marker set by modify-ipt-server.yml (xmpp_server_ips)" - when: - - main_ipv4_exists.stat.exists - - xmpp_server_ips_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'xmpp_server_ips=..' is present - shell: grep -q -E "^xmpp_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: xmpp_server_ips_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "xmpp_server_ips_ipv6_present.rc > 1" - changed_when: "xmpp_server_ips_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xmpp_server_ips) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*ftp_passive_port_range' - block: | - - # - XMPP Service (Jabber - Prosody) - # - - xmpp_server_ips="" - forward_xmpp_server_ips="" - - # - Ports used by XMpp (Prosody) service - # - - # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt - # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) - # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern - # - - # - WebSocket (support is provided by mod_websocket) - # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) - # - - xmmp_tcp_in_ports="5222 5223 5269" - xmmp_tcp_out_ports="5269" - - # - XMPP Remote Dovecote Out Service - # - - # - Example: - # - xmmp_remote_out_services=" - # - 2a01:4f8:221:3b4e::247,44444 - # - 2a01:30:0:13:2f7:50ff:fed2:cef7,44444 - # - " - # - - xmmp_remote_out_services="" - - marker: "# Marker set by modify-ipt-server.yml (xmpp_server_ips)" - when: - - main_ipv6_exists.stat.exists - - xmpp_server_ips_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# munin_remote_port -# --- - -- name: Check if String 'munin_remote_port=..' is present - shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf - register: munin_remote_port_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "munin_remote_port_ipv4_present.rc > 1" - changed_when: "munin_remote_port_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_munin_server_ips' - block: | - # - Port used by clients hosted on this (local) Munin Services - # - - # - !! Only one port is possible !! - # - - munin_remote_port="$standard_munin_port" - - marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" - when: - - main_ipv4_exists.stat.exists - - munin_remote_port_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'munin_remote_port=..' is present - shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf - register: munin_remote_port_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "munin_remote_port_ipv6_present.rc > 1" - changed_when: "munin_remote_port_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_munin_server_ips' - block: | - # - Ports used by clients hosted on this (local) Munin Services - # - - # - !! Only one port is possible !! - # - - munin_remote_port="$standard_munin_port" - - marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" - when: - - main_ipv6_exists.stat.exists - - munin_remote_port_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# xymon_port -# --- - -- name: Check if String 'xymon_port=..' is present - shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf - register: xymon_port_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "xymon_port_ipv4_present.rc > 1" - changed_when: "xymon_port_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*local_xymon_client' - block: | - # - Port used by local Xymon Services - # - - # - !! Only one port is possible !! - # - - xymon_port="$standard_xymon_port" - - marker: "# Marker set by modify-ipt-server.yml (xymon_port)" - when: - - main_ipv4_exists.stat.exists - - xymon_port_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'xymon_port=..' is present - shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf - register: xymon_port_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "xymon_port_ipv6_present.rc > 1" - changed_when: "xymon_port_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*local_xymon_client' - block: | - # - Port used by local Xymon Services - # - - # - !! Only one port is possible !! - # - - xymon_port="$standard_xymon_port" - - marker: "# Marker set by modify-ipt-server.yml (xymon_port)" - when: - - main_ipv6_exists.stat.exists - - xymon_port_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# mumble_ports -# --- - -- name: Check if String 'mumble_ports=..' is present - shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf - register: mumble_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mumble_ports_ipv4_present.rc > 1" - changed_when: "mumble_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mumble_server_ips' - block: | - # - Ports used by local Mumble Services - # - - # - comma separated list - # - - mumble_ports="$standard_mumble_port" - - marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" - when: - - main_ipv4_exists.stat.exists - - mumble_ports_ipv4_present is changed - notify: - - Restart IPv4 Firewall - -- name: Check if String 'mumble_ports=..' is present - shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf - register: mumble_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "mumble_ports_ipv6_present.rc > 1" - changed_when: "mumble_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mumble_server_ips' - block: | - # - Ports used by local Mumble Services - # - - # - comma separated list - # - - mumble_ports="$standard_mumble_port" - - marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" - when: - - main_ipv6_exists.stat.exists - - mumble_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -# --- -# Portforwarding -# --- - -- name: Check if String 'portforward_tcp=..' (IPv4) is present - shell: grep -q -E "^portforward_tcp=" /etc/ipt-firewall/main_ipv4.conf - register: portforward_tcp_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "portforward_tcp_ipv4_present.rc > 1" - changed_when: "portforward_tcp_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (portforward_tcp) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_udp_out_ports' - block: | - - # ============= - # --- Portforwarding - # ============= - - # - Portforwarding TCP - # - - # - portforward_tcp="::::" - # - - # - Multiple declarations (blank separated list) are possible - # - - # - Example: - # - portforward_tcp="${ext_if_1}:83.223.86.95:9997:192.168.52.25:22 - # - ${ext_if_1}:${ext_1_ip}:80:83.223.86.98:80 - # - ${ext_if_1}:${ext_1_ip}:443:83.223.86.98:443 - # - " - # - - # - Note! - # - be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES. - # - - # - Blank separated list - # - - portforward_tcp="" - - - # - Portforwarding UDP - # - - # - portforward_udp="::::" - # - - # - Multiple declarations (blank separated list) are possible - # - - # - Example: - # - portforward_udp=" - # - ${ext_if_1}:${ext_1_ip}:1194:192.168.52.25:1194 - # - ${ext_if_1}:${ext_1_ip}:1195:192.168.53.24:1195 - # - " - # - - # - Blank separated list - # - - portforward_udp="" - - marker: "# Marker set by modify-ipt-server.yml (portforward_tcp)" - when: - - main_ipv4_exists.stat.exists - - portforward_tcp_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'portforward_tcp=..' (IPv6) is present - shell: grep -q -E "^portforward_tcp=" /etc/ipt-firewall/main_ipv6.conf - register: portforward_tcp_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "portforward_tcp_ipv6_present.rc > 1" - changed_when: "portforward_tcp_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_udp_out_ports' - block: | - - # ============= - # --- Portforwarding - # ============= - - # - Portforwarding TCP - # - - # - portforward_tcp=",,,," - # - - # - Multiple declarations (blank separated list) are possible - # - - # - Example: - # - portforward_tcp="${ext_if_1},${ext_1_ip},9997,2a01:30:0:13:5054:ff:fe83:dbda,c22 - # - ${ext_if_1},${ext_1_ip},80,2a01:30:0:13:211:84ff:feb7:7f9c,80 - # - ${ext_if_1},2a01:30:0:13:2d1:2bff:fec1:aed0,80,2a01:30:0:13:211:84ff:feb7:7f9c,80 - # - ${ext_if_1},2a01:30:0:13:2d1:2bff:fec1:aed0,443,2a01:30:0:13:211:84ff:feb7:7f9c,443 - # - " - # - - # - Note! - # - be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES. - # - - # - Blank separated list - # - - portforward_tcp="" - - - # - Portforwarding UDP - # - - # - portforward_udp=",,,," - # - - # - Multiple declarations (blank separated list) are possible - # - - # - Example: - # - portforward_udp=" - # - ${ext_if_1},${ext_1_ip},1094,,1094 - # - ${ext_if_1},${ext_1_ip},1095,,1095 - # - " - # - - # - Blank separated list - # - - portforward_udp="" - - marker: "# Marker set by modify-ipt-server.yml (portforward_tcp)" - when: - - main_ipv6_exists.stat.exists - - portforward_tcp_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -# --- -# Remove Marker set by blockinfile -# --- - -- name: Remove marker IPv4 - replace : - path: /etc/ipt-firewall/main_ipv4.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - register: marker_ipv4_removed - #failed_when: "marker_ipv4_removed.rc > 1" - #changed_when: "marker_ipv4_removed.rc < 1" - when: - - main_ipv4_exists.stat.exists - -- name: Remove marker IPv6 - replace : - path: /etc/ipt-firewall/main_ipv6.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - register: marker_ipv6_removed - #failed_when: "marker_ipv6_removed.rc > 1" - #changed_when: "marker_ipv6_removed.rc < 1" - when: - - main_ipv6_exists.stat.exists - - -# === -# Update/Modify firewall -# === - -# --- -# Host specific configuration files -# --- - -# /etc/ipt-firewall/interfaces_ipv[4|6].conf -# -- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' - command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf - when: not interfaces_ipv4_exists.stat.exists - register: new_interfaces_ipv4 - - -- name: Configure interfaces_ipv4.conf 1/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - regexp: '^ext_if_1=' - line: 'ext_if_1="{{ item.device }}"' - register: interfaces_ipv4_device - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - until: - - interfaces_ipv4_device is changed - when: - - not interfaces_ipv4_exists.stat.exists - - new_interfaces_ipv4 is changed - - item.ipv4.address is defined and item.ipv4.address|length > 0 - -- name: Configure interfaces_ipv4.conf 2/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - regexp: '^ext_1_ip=' - line: 'ext_1_ip="{{ item.ipv4.address }}"' - register: interfaces_ipv4_ip - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - until: - - interfaces_ipv4_ip is changed - when: - - not interfaces_ipv4_exists.stat.exists - - new_interfaces_ipv4 is changed - - item.ipv4.address is defined and item.ipv4.address|length > 0 - -- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' - command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf - when: not interfaces_ipv6_exists.stat.exists - register: new_interfaces_ipv6 - -- name: Configure interfaces_ipv6.conf 1/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - regexp: '^ext_if_1=' - line: 'ext_if_1="{{ item.device }}"' - register: interfaces_ipv6_device - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - until: - - interfaces_ipv6_device is changed - when: - - not interfaces_ipv6_exists.stat.exists - - new_interfaces_ipv6 is changed - - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - -- name: Configure interfaces_ipv4.conf 2/2 - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - regexp: '^ext_1_ip=' - #line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }} {{ item.ipv6.1.address | default('') }}"' - line: "ext_1_ip=\"{{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}\"" - register: interfaces_ipv6_ip - loop: "{{ ansible_netdev }}" - loop_control: - label: "{{ item.device }}" - until: - - interfaces_ipv6_ip is changed - when: - - not interfaces_ipv6_exists.stat.exists - - new_interfaces_ipv6 is changed - - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0 - - item.ipv6.1.address is defined and item.ipv6.1.address|length > 0 - -# /etc/ipt-firewall/ban_ipv[4|6].list -# -- name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' - command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list - when: not ban_ipv4_exists.stat.exists - -- name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' - command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list - when: not ban_ipv6_exists.stat.exists - -# /etc/ipt-firewall/main_ipv[4|6].conf -# -- name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' - command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf - when: not main_ipv4_exists.stat.exists - register: cp_main_ipv4 - -- name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' - command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf - when: not main_ipv6_exists.stat.exists - register: cp_main_ipv6 - -# --- -# Configure main_ipv4.conf -# --- - -# - Firewall Bridged Traffic ? - -- name: Configure main_ipv4.conf (do_not_firewall_bridged_traffic - lxc_host) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*do_not_firewall_bridged_traffic' - line: do_not_firewall_bridged_traffic=true - state: present - when: - - inventory_hostname in groups['lxc_host'] - notify: - - Restart IPv4 Firewall - -- name: Configure main_ipv4.conf (do_not_firewall_bridged_traffic - other) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*do_not_firewall_bridged_traffic' - line: do_not_firewall_bridged_traffic=false - state: present - when: - - inventory_hostname not in groups['lxc_host'] - notify: - - Restart IPv4 Firewall - -# - DNS Service - -- name: Configure main_ipv4.conf (dns_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*dns_server_ips' - line: dns_server_ips="$ext_ips" - state: present - when: - - "groups['dns_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - -# - (local) Resolver - -- name: Configure main_ipv4.conf (local_resolver_service) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*local_resolver_service' - line: local_resolver_service=true - state: present - when: - - "groups['local_resolver']|string is search(inventory_hostname)" - notify: - - Restart IPv4 Firewall - -- name: Configure main_ipv4.conf (resolver_allowed_networks) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*resolver_allowed_networks' - line: resolver_allowed_networks="{{ (resolver_allowed_ipv4_networks | join(' ')) | default(omit) }}" - state: present - when: - - "groups['local_resolver']|string is search(inventory_hostname)" - notify: - - Restart IPv4 Firewall - -# - NTP Service - -- name: Configure main_ipv4.conf (local_ntp_service) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*local_ntp_service' - line: local_ntp_service=true - state: present - when: - - "groups['ntp_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - notify: - - Restart IPv4 Firewall - -- name: Configure main_ipv4.conf (ntp_allowed_net) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*local_ntp_service' - line: 'ntp_allowed_net="{{ ntp_allowed_ipv4_net | default(omit) }"' - state: present - when: - - "groups['ntp_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - notify: - - Restart IPv4 Firewall - -# - SSH Service - -- name: Configure main_ipv4.conf (ssh_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*ssh_server_ips' - line: ssh_server_ips="$ext_ips" - state: present - when: - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - -# - HTTP Server - -- name: Configure main_ipv4.conf (http_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*http_server_ips=' - line: http_server_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - -# - Mail Client Protocols - -- name: Configure main_ipv4.conf (mail_client_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mail_client_ips=' - line: mail_client_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - -# - Mal Server - -- name: Configure main_ipv4.conf (smtpd_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*smtpd_ips=' - line: smtpd_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - -- name: Configure main_ipv4.conf (mail_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mail_server_ips=' - line: mail_server_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - -# - Dovecot auth service - -- name: Configure main_ipv4.conf (dovecot_auth_service) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*dovecot_auth_service=' - line: dovecot_auth_service=true - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - has_dovecot_auth_service_ipv4 == true - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - notify: - - Restart IPv4 Firewall - -- name: Configure main_ipv4.conf (dovecot_auth_port) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*dovecot_auth_port=' - line: dovecot_auth_port={{ dovecot_auth_service_port | default(omit) }} - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - has_dovecot_auth_service_ipv4 == true - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - notify: - - Restart IPv4 Firewall - -- name: Configure main_ipv4.conf (dovecot_auth_allowed_networks) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*dovecot_auth_allowed_networks=' - line: dovecot_auth_allowed_networks="{{ (dovecot_auth_allowed_network_ipv4 | join(' ')) | default(omit) }}" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - has_dovecot_auth_service_ipv4 == true - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - notify: - - Restart IPv4 Firewall - -# - FTP Service - -- name: Configure main_ipv4.conf (ftp_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*ftp_server_ips=' - line: ftp_server_ips="$ext_1_ip" - state: present - when: - - "groups['ftp_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - -# - XMPP Service - -- name: Configure main_ipv4.conf (xmpp_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*xmpp_server_ips=' - line: xmpp_server_ips="$ext_1_ip" - state: present - when: - - "groups['xmpp_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - notify: - - Restart IPv4 Firewall - -- name: Configure main_ipv4.conf (xmmp_remote_out_services) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*xmmp_remote_out_services=' - line: 'xmmp_remote_out_services="{{ xmpp_dovecot_auth_service_ipv4 | default(omit) }}"' - state: present - when: - - "groups['xmpp_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - - xmpp_has_dovecot_auth == true - notify: - - Restart IPv4 Firewall - -# - Mumble - -- name: Configure main_ipv4.conf (mumble_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*mumble_server_ips=' - line: mumble_server_ips="$ext_1_ip" - state: present - when: - - "groups['mumble_server']|string is search(inventory_hostname)" - - not main_ipv4_exists.stat.exists - - cp_main_ipv4 is changed - -# - Munin Remote IP - -- name: Configure main_ipv4.conf (munin_remote_ip) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^\s*munin_remote_ip=' - line: 'munin_remote_ip="{{ munin_remote_ipv4 }}"' - state: present - notify: - - Restart IPv4 Firewall - -# --- -# Configure main_ipv6.conf -# --- - -# - Firewall Bridged Traffic ? - -- name: Configure main_ipv6.conf (do_not_firewall_bridged_traffic - lxc_host) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*do_not_firewall_bridged_traffic' - line: do_not_firewall_bridged_traffic=true - state: present - when: - - inventory_hostname in groups['lxc_host'] - notify: - - Restart IPv6 Firewall - -- name: Configure main_ipv6.conf (do_not_firewall_bridged_traffic - other) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*do_not_firewall_bridged_traffic' - line: do_not_firewall_bridged_traffic=false - state: present - when: - - inventory_hostname not in groups['lxc_host'] - notify: - - Restart IPv6 Firewall - -# - DNS Service - -- name: Configure main_ipv6.conf (dns_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*dns_server_ips' - line: dns_server_ips="$ext_ips" - state: present - when: - - "groups['dns_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - notify: - - Restart IPv6 Firewall - -# - (local) Resolver - -- name: Configure main_ipv6.conf (local_resolver_service) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*local_resolver_service' - line: local_resolver_service=true - state: present - when: - - "groups['local_resolver']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - notify: - - Restart IPv6 Firewall - -- name: Configure main_ipv6.conf (resolver_allowed_networks) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*resolver_allowed_networks' - line: resolver_allowed_networks="{{ (resolver_allowed_ipv6_networks | join(' ')) | default(omit) }}" - state: present - when: - - "groups['local_resolver']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - notify: - - Restart IPv6 Firewall - -# - NTP Service - -- name: Configure main_ipv6.conf (local_ntp_service) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*local_ntp_service' - line: local_ntp_service=true - state: present - when: - - "groups['ntp_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - notify: - - Restart IPv6 Firewall - -- name: Configure main_ipv6.conf (ntp_allowed_net) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*local_ntp_service' - line: 'ntp_allowed_net="{{ ntp_allowed_ipv6_net }"' - state: present - when: - - "groups['ntp_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - notify: - - Restart IPv6 Firewall - -#- SSH Service - -- name: Configure main_ipv6.conf (ssh_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*ssh_server_ips' - line: ssh_server_ips="$ext_ips" - state: present - when: - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - -# - HTTP Service - -- name: Configure main_ipv6.conf (http_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*http_server_ips=' - line: http_server_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - -# - Mail Client Protocolls - -- name: Configure main_ipv6.conf (mail_client_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mail_client_ips=' - line: mail_client_ips="$ext_1_ip" - state: present - when: - - "groups['apache2_webserver']|string is search(inventory_hostname) or - groups['nginx_webserver']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - -# - Mail Server - -- name: Configure main_ipv6.conf (smtpd_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*smtpd_ips=' - line: smtpd_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - -- name: Configure main_ipv6.conf (mail_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mail_server_ips=' - line: mail_server_ips="$ext_1_ip" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - -# - Dovecot auth service - -- name: Configure main_ipv6.conf (dovecot_auth_service) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*dovecot_auth_service=' - line: dovecot_auth_service=true - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - has_dovecot_auth_service_ipv6 == true - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - notify: - - Restart IPv6 Firewall - -- name: Configure main_ipv6.conf (dovecot_auth_port) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*dovecot_auth_port=' - line: dovecot_auth_port={{ dovecot_auth_service_port | default(omit) }} - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - has_dovecot_auth_service_ipv6 == true - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - notify: - - Restart IPv6 Firewall - -- name: Configure main_ipv6.conf (dovecot_auth_allowed_networks) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*dovecot_auth_allowed_networks=' - line: dovecot_auth_allowed_networks="{{ (dovecot_auth_allowed_network_ipv6 | join(' ')) | default(omit) }}" - state: present - when: - - "groups['mail_server']|string is search(inventory_hostname)" - - has_dovecot_auth_service_ipv6 == true - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - notify: - - Restart IPv6 Firewall - -# - FTP Service - -- name: Configure main_ipv6.conf (ftp_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*ftp_server_ips=' - line: ftp_server_ips="$ext_1_ip" - state: present - when: - - "groups['ftp_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - -# - XMPP Service - -- name: Configure main_ipv6.conf (xmpp_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*xmpp_server_ips=' - line: xmpp_server_ips="$ext_1_ip" - state: present - when: - - "groups['xmpp_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - xmpp_has_dovecot_auth == true - notify: - - Restart IPv6 Firewall - -- name: Configure main_ipv6.conf (xmmp_remote_out_services) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*xmmp_remote_out_services=' - line: 'xmmp_remote_out_services="{{ xmpp_dovecot_auth_service_ipv6 | default(omit) }}"' - state: present - when: - - "groups['xmpp_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - - xmpp_has_dovecot_auth == true - notify: - - Restart IPv6 Firewall - -# - Munmble Service - -- name: Configure main_ipv6.conf (mumble_server_ips) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*mumble_server_ips=' - line: mumble_server_ips="$ext_1_ip" - state: present - when: - - "groups['mumble_server']|string is search(inventory_hostname)" - - not main_ipv6_exists.stat.exists - - cp_main_ipv6 is changed - -# - Munin Remote IP - -- name: Configure main_ipv6.conf (munin_remote_ip) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^\s*munin_remote_ip=' - line: 'munin_remote_ip="{{ munin_remote_ipv6 }}"' - state: present - notify: - - Restart IPv6 Firewall - -# --- -# Host independet configuration files -# --- - -- name: Check if common configuration files are latest - shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' - changed_when: "diff_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_output.rc > 2" - when: git_firewall_repository is defined and git_firewall_repository > 0 - loop: - - include_functions.conf - - load_modules_ipv4.conf - - load_modules_ipv6.conf - - logging_ipv4.conf - - logging_ipv6.conf - - default_ports.conf - - post_decalrations.conf - register: diff_output - -- name: Ensure common configuration files are latest - command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} - loop: - - include_functions.conf - - load_modules_ipv4.conf - - load_modules_ipv6.conf - - logging_ipv4.conf - - logging_ipv6.conf - - default_ports.conf - - post_decalrations.conf - when: - - git_firewall_repository is defined and git_firewall_repository > 0 - - diff_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - -# --- -# Firewall scripts -# --- - -- name: Check if firewall scripts are latest - shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' - changed_when: "diff_script_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_script_output.rc > 2" - when: git_firewall_repository is defined and git_firewall_repository > 0 - loop: - - ipt-firewall-server - - ip6t-firewall-server - register: diff_script_output - -- name: Ensure firewall scripts are latest - command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} - loop: - - ipt-firewall-server - - ip6t-firewall-server - when: - - git_firewall_repository is defined and git_firewall_repository > 0 - - diff_script_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - -# --- -# Install systemd service files ip[6]t-firewall.service -# --- - -- name: Configure firewall systemd service files - template: - src: etc/systemd/system/{{ item }}-firewall.service.j2 - dest: /etc/systemd/system/{{ item }}-firewall.service - register: systemd_service_files_installed - with_items: - - ipt - - ip6t - -- name: Enable firewall services IPv4 - systemd: - name: ipt-firewall - state: stopped - enabled: yes - daemon_reload: yes - when: systemd_service_files_installed is changed - register: firewall_service_started - -- name: Enable firewall services IPv6 - systemd: - name: ip6t-firewall - state: stopped - enabled: yes - daemon_reload: yes - when: systemd_service_files_installed is changed - register: firewall_service_started - -- meta: end_host - when: firewall_service_started is changed - -# --- -# Delete unused files -# --- - -- name: Delete file /etc/ipt-firewall/ports.conf - file: - path: /etc/ipt-firewall/ports.conf - state: absent - when: systemd_service_files_installed is changed + - groups['gateway_server']|string is search(inventory_hostname) + tags: + - git-firewall-repository + - ipt-gateway diff --git a/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 b/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 index ad2c85f..bf4c372 100644 --- a/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 +++ b/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 @@ -1,5 +1,21 @@ # {{ ansible_managed }} +{%- if groups['gateway_server']|string is search(inventory_hostname) %} +[Unit] +Description=IPv6 Firewall with ip6tables +After=network.target + +[Service] +SyslogIdentifier="ip6t-gateway" +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ip6t-firewall-gateway start +ExecStop=/usr/local/sbin/ip6t-firewall-gateway stop +User=root + +[Install] +WantedBy=multi-user.target +{% else %} [Unit] Description=IPv6 Firewall with ip6tables After=network.target @@ -13,4 +29,5 @@ User=root [Install] WantedBy=multi-user.target +{% endif %} diff --git a/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 b/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 index ab20b8f..5651238 100644 --- a/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 +++ b/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 @@ -1,5 +1,23 @@ # {{ ansible_managed }} +{%- if groups['gateway_server']|string is search(inventory_hostname) %} + +[Unit] +Description=IPv4 Firewall with iptables +After=network.target + +[Service] +SyslogIdentifier="ipt-gateway" +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ipt-firewall-gateway start +ExecStop=/usr/local/sbin/ipt-firewall-gateway stop +User=root + +[Install] +WantedBy=multi-user.target +{% else %} + [Unit] Description=IPv4 Firewall with iptables After=network.target @@ -13,4 +31,5 @@ User=root [Install] WantedBy=multi-user.target +{% endif %}