role firewall: add support for installation of gateway firewall - maybe not realy usable..

2021-04-01 15:57:48 +02:00
parent 76fb3c68ac
commit 529e115716
6 changed files with 2344 additions and 1878 deletions
--- a/roles/firewall/tasks/ipt-gateway.yml
+++ b/roles/firewall/tasks/ipt-gateway.yml
@ -0,0 +1,283 @@
+---
+#  # ---
+#  # - Check if firewall repository exist
+#  # ---
+#
+#  - name: (ipt-gateway.yml) Check if firewall repository exist
+#    stat:
+#      path: '{{ git_firewall_repository.dest }}'
+#    register: git_firewall_repository_exists
+#
+#  - meta: end_host
+#    when: not git_firewall_repository_exists.stat.exists
+
+# ---
+# Create firewall config directory '/etc/ipt/firewall' if not exists
+# ---
+
+- name: (ipt-gateway.yml) Install/update firewall repository
+  git:
+    repo: '{{ git_firewall_repository.repo }}'
+    dest: '{{ git_firewall_repository.dest }}'
+  when: git_firewall_repository is defined and git_firewall_repository|length > 0
+  tags:
+    - git-firewall-repository
+
+# Exit if no firewall repository variable exists or is empty
+#
+- meta: end_host
+  when: git_firewall_repository is not defined or git_firewall_repository|length < 1
+
+- name: (ipt-gateway.yml) Create directory /etc/ipt-firewall if not exists
+  file:
+    path: /etc/ipt-firewall
+    state: directory
+
+# ---
+# Check presence of files
+# ---
+
+- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv4.conf are present
+  stat:
+    path: /etc/ipt-firewall/interfaces_ipv4.conf
+  register: interfaces_ipv4_exists
+
+- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv6.conf are present
+  stat:
+    path: /etc/ipt-firewall/interfaces_ipv6.conf
+  register: interfaces_ipv6_exists
+
+- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv4.conf' exists
+  stat:
+    path: /etc/ipt-firewall/main_ipv4.conf
+  register: main_ipv4_exists
+
+- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv6.conf' exists
+  stat:
+    path: /etc/ipt-firewall/main_ipv6.conf
+  register: main_ipv6_exists
+
+- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/ban_ipv4.list are present
+  stat:
+    path: /etc/ipt-firewall/ban_ipv4.list
+  register: ban_ipv4_exists
+
+# ---
+# Get information about network devices
+# ---
+
+- name: (ipt-gateway.yml) define traditional ethernet facts
+  set_fact:
+    ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
+  when: 
+    - not interfaces_ipv4_exists.stat.exists
+    - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
+    - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
+    - inventory_hostname not in groups['lxc_host']|string
+  with_items:
+    - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
+
+- name: (ipt-gateway.yml) define traditional bridge facts
+  set_fact:
+    ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
+  when: 
+    - not interfaces_ipv4_exists.stat.exists
+    - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
+    - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
+    - "groups['lxc_host']|string is search(inventory_hostname)"
+  with_items:
+    - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
+
+- name: (ipt-gateway.yml) Debug message IPv4
+  debug:
+     msg: 
+       - "index: {{ idx + 1 }}"
+       - "device: {{ item.device }}"
+       - "ipv4-address: {{ item.ipv4.address }}"
+  loop: "{{ ansible_netdev }}"
+  loop_control:
+    label: "{{ item.device }}"
+    index_var: idx
+  when:
+    - item.ipv4.address is defined and item.ipv4.address|length > 0
+
+- name: (ipt-gateway.yml) Debug message IPv6
+  debug:
+     msg: 
+       - "index: {{ idx + 1 }}"
+       - "device: {{ item.device }}"
+       - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}"
+  loop: "{{ ansible_netdev }}"
+  loop_control:
+    label: "{{ item.device }}"
+    index_var: idx
+  when:
+    - item.default_ipv6 is defined and item.default_ipv6|length > 0
+    - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0
+
+#- meta: end_host
+
+# ---
+# Get sshd ports
+# ---
+
+- name: (ipt-gateway.yml) Get sshd ports as blank separated list
+  set_fact:
+    fw_sshd_ports: "{{ sshd_ports | join (' ') }}"
+  when: 
+    - sshd_ports is defined and sshd_ports | length > 0
+    - sshd_ports|join() != "22"
+
+- name: (ipt-gateway.yml) Set default sshd ports
+  set_fact:
+    fw_sshd_ports: "$standard_ssh_port"
+  when: 
+    - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22"
+
+# ===
+# Update/Modify firewall
+# ===
+
+# ---
+# Host specific configuration files
+# ---
+
+# /etc/ipt-firewall/interfaces_ipv[4|6].conf
+#
+- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf'
+  command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample  /etc/ipt-firewall/interfaces_ipv4.conf
+  when: not interfaces_ipv4_exists.stat.exists
+  register: new_interfaces_ipv4
+
+
+- name: (ipt-gateway.yml) Configure interfaces_ipv4.conf 1/2
+  lineinfile:
+    path: /etc/ipt-firewall/interfaces_ipv4.conf
+    regexp: 'local_if_1='
+    line: 'local_if_1="{{ item.device }}"' 
+  register: interfaces_ipv4_device
+  loop: "{{ ansible_netdev }}"
+  loop_control:
+    label: "{{ item.device }}"
+  until:
+    - interfaces_ipv4_device is changed
+  when: 
+    - not interfaces_ipv4_exists.stat.exists
+    - new_interfaces_ipv4 is changed
+    - item.ipv4.address is defined and item.ipv4.address|length > 0
+
+# /etc/ipt-firewall/ban_ipv[4|6].list
+#
+- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/ban_ipv4.list'
+  command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample  /etc/ipt-firewall/ban_ipv4.list
+  when: not ban_ipv4_exists.stat.exists
+
+# /etc/ipt-firewall/main_ipv[4|6].conf
+#
+- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv4.conf'
+  command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample  /etc/ipt-firewall/main_ipv4.conf
+  when: not main_ipv4_exists.stat.exists
+  register: cp_main_ipv4
+
+- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv6.conf'
+  command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample  /etc/ipt-firewall/main_ipv6.conf
+  when: not main_ipv6_exists.stat.exists
+  register: cp_main_ipv6
+
+# ---
+# Host independet configuration files
+# ---
+
+- name: (ipt-gateway.yml) Check if common configuration files are latest
+  shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1'
+  changed_when: "diff_output.rc > 0"
+  # diff_output.rc
+  #    0  -> unchanged
+  #    1  -> changed
+  #    2  -> not present
+  failed_when: "diff_output.rc > 2"
+  when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
+  loop:
+     - include_functions.conf
+     - load_modules_ipv4.conf
+     - load_modules_ipv6.conf
+     - logging_ipv4.conf
+     - logging_ipv6.conf
+     - default_ports.conf
+     - post_decalrations.conf
+  register: diff_output
+
+- name: (ipt-gateway.yml) Ensure common configuration files are latest
+  command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }}
+  loop:
+     - include_functions.conf
+     - load_modules_ipv4.conf
+     - load_modules_ipv6.conf
+     - logging_ipv4.conf
+     - logging_ipv6.conf
+     - default_ports.conf
+     - post_decalrations.conf
+  when:
+    - (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
+    - diff_output.changed
+
+# ---
+# Firewall scripts
+# ---
+
+- name: (ipt-gateway.yml) Check if firewall scripts are latest
+  shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1'
+  changed_when: "diff_script_output.rc > 0"
+  # diff_output.rc
+  #    0  -> unchanged
+  #    1  -> changed
+  #    2  -> not present
+  failed_when: "diff_script_output.rc > 2"
+  when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
+  loop:
+     - ipt-firewall-gateway
+     - ip6t-firewall-gateway
+  register: diff_script_output
+
+- name: (ipt-gateway.yml) Ensure firewall scripts are latest
+  command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }}
+  loop:
+     - ipt-firewall-gateway
+     - ip6t-firewall-gateway
+  when:
+    - (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
+    - diff_script_output.changed
+
+# ---
+# Install systemd service files  ip[6]t-firewall.service
+# ---
+
+- name: (ipt-gateway.yml) Configure firewall systemd service files
+  template:
+    src: etc/systemd/system/{{ item }}-firewall.service.j2
+    dest: /etc/systemd/system/{{ item }}-firewall.service
+  register: systemd_service_files_installed
+  with_items:
+     - ipt
+     - ip6t
+
+- name: (ipt-gateway.yml) Enable firewall services IPv4
+  systemd:
+    name: (ipt-gateway.yml) ipt-firewall
+    state: stopped
+    enabled: yes
+    daemon_reload: yes
+  when: systemd_service_files_installed is changed
+  register: firewall_service_started
+
+- name: (ipt-gateway.yml) Enable firewall services IPv6
+  systemd:
+    name: (ipt-gateway.yml) ip6t-firewall
+    state: stopped
+    enabled: yes
+    daemon_reload: yes
+  when: systemd_service_files_installed is changed
+  register: firewall_service_started
+
+- meta: end_host
+  when: firewall_service_started is changed
--- a/roles/firewall/tasks/ipt-server.yml
+++ b/roles/firewall/tasks/ipt-server.yml
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
--- a/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2
+++ b/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2
@ -1,5 +1,21 @@
 # {{ ansible_managed }}

+{%- if groups['gateway_server']|string is search(inventory_hostname) %}
+[Unit]
+Description=IPv6 Firewall with ip6tables
+After=network.target
+
+[Service]
+SyslogIdentifier="ip6t-gateway"
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ip6t-firewall-gateway start
+ExecStop=/usr/local/sbin/ip6t-firewall-gateway stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
+{% else %}
 [Unit]
 Description=IPv6 Firewall with ip6tables
 After=network.target
@ -13,4 +29,5 @@ User=root

 [Install]
 WantedBy=multi-user.target
+{% endif %}

--- a/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2
+++ b/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2
@ -1,5 +1,23 @@
 # {{ ansible_managed }}

+{%- if groups['gateway_server']|string is search(inventory_hostname) %}
+
+[Unit]
+Description=IPv4 Firewall with iptables
+After=network.target
+
+[Service]
+SyslogIdentifier="ipt-gateway"
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ipt-firewall-gateway start
+ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
+{% else %}
+
 [Unit]
 Description=IPv4 Firewall with iptables
 After=network.target
@ -13,4 +31,5 @@ User=root

 [Install]
 WantedBy=multi-user.target
+{% endif %}