update..

roles/modify-ipt-server/tasks/main.yml

@@ -274,6 +274,185 @@
     - Restart IPv6 Firewall
 
 
+# ---
+# Mattermost (MM) Service
+# ---
+
+- name: Check if String 'mm_server_ips=..' is present
+  shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv4.conf
+  register: mattermost_service_ipv4_present
+  when: main_ipv4_exists.stat.exists
+  failed_when: "mattermost_service_ipv4_present.rc > 1"
+  changed_when: "mattermost_service_ipv4_present.rc > 0"
+
+- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mattermost_service)
+  blockinfile:
+    path: /etc/ipt-firewall/main_ipv4.conf
+    insertafter: '^#?\s*http_ports'
+    block: |
+
+      # - Mattermost (MM) Service
+      # -
+      mm_server_ips=""
+      forward_mm_server_ips=""
+
+      # - UDP Ports IN and OUT used by MM Servive
+      # -
+      mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
+      mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
+
+    marker: "# Marker set by modify-ipt-server.yml (mattermost_service)"
+  when:
+    - main_ipv4_exists.stat.exists
+    - mattermost_service_ipv4_present is changed
+  notify:
+    - Restart IPv4 Firewall
+
+
+- name: Check if String 'mm_server_ips=..' is present
+  shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv6.conf
+  register: mattermost_service_ipv6_present
+  when: main_ipv6_exists.stat.exists
+  failed_when: "mattermost_service_ipv6_present.rc > 1"
+  changed_when: "mattermost_service_ipv6_present.rc > 0"
+
+- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mattermost_service)
+  blockinfile:
+    path: /etc/ipt-firewall/main_ipv6.conf
+    insertafter: '^#?\s*http_ports'
+    block: |
+
+      # - Mattermost (MM) Service
+      # -
+      mm_server_ips=""
+      forward_mm_server_ips=""
+
+      # - UDP Ports IN and OUT used by MM Servive
+      # -
+      mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
+      mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
+
+    marker: "# Marker set by modify-ipt-server.yml (mattermost_service)"
+  when:
+    - main_ipv6_exists.stat.exists
+    - mattermost_service_ipv6_present is changed
+  notify:
+    - Restart IPv6 Firewall
+
+
+
+# ---
+# Protection against and Limit Connections settings
+# ---
+
+- name: Check if String 'protection_against_syn_flooding=..' is present
+  shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv4.conf
+  register: protect_settings_ipv4_present
+  when: main_ipv4_exists.stat.exists
+  failed_when: "protect_settings_ipv4_present.rc > 1"
+  changed_when: "protect_settings_ipv4_present.rc > 0"
+
+- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings)
+  blockinfile:
+    path: /etc/ipt-firewall/main_ipv4.conf
+    insertafter: '^#?\s*create_iperf_rules'
+    block: |
+
+      # -------------
+      # - Protection against ...
+      # -------------
+
+      # - Protection against syn-flooding
+      # -
+      protection_against_syn_flooding=true
+
+      # - Protection against port scanning
+      # -
+      protection_against_port_scanning=true
+
+      # - Protection against SSH brute-force attacks
+      # -
+      protection_against_ssh_brute_force_attacks=true
+
+
+      # -------------
+      # - Limit Connections
+      # -------------
+
+      # - Limit connections per source IP
+      # -
+      limit_connections_per_source_IP=true
+
+      # - Limit RST packets
+      # -
+      limit_rst_packets=true
+
+      # - Limit new TCP connections per second per source IP
+      # -
+      limit_new_tcp_connections_per_seconds_per_source_IP=true
+
+    marker: "# Marker set by modify-ipt-server.yml (protect_settings)"
+  when:
+    - main_ipv4_exists.stat.exists
+    - protect_settings_ipv4_present is changed
+  notify:
+    - Restart IPv4 Firewall
+
+
+- name: Check if String 'protection_against_syn_flooding=..' is present
+  shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv6.conf
+  register: protect_settings_ipv6_present
+  when: main_ipv6_exists.stat.exists
+  failed_when: "protect_settings_ipv6_present.rc > 1"
+  changed_when: "protect_settings_ipv6_present.rc > 0"
+
+- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings)
+  blockinfile:
+    path: /etc/ipt-firewall/main_ipv6.conf
+    insertafter: '^#?\s*create_iperf_rules'
+    block: |
+
+      # -------------
+      # - Protection against ...
+      # -------------
+
+      # - Protection against syn-flooding
+      # -
+      protection_against_syn_flooding=true
+
+      # - Protection against port scanning
+      # -
+      protection_against_port_scanning=true
+
+      # - Protection against SSH brute-force attacks
+      # -
+      protection_against_ssh_brute_force_attacks=true
+
+
+      # -------------
+      # - Limit Connections
+      # -------------
+
+      # - Limit connections per source IP
+      # -
+      limit_connections_per_source_IP=true
+
+      # - Limit RST packets
+      # -
+      limit_rst_packets=true
+
+      # - Limit new TCP connections per second per source IP
+      # -
+      limit_new_tcp_connections_per_seconds_per_source_IP=true
+
+    marker: "# Marker set by modify-ipt-server.yml (protect_settings)"
+  when:
+    - main_ipv6_exists.stat.exists
+    - protect_settings_ipv6_present is changed
+  notify:
+    - Restart IPv6 Firewall
+
+
 # ===
 # Remove Marker set by blockinfile
 # ===