From d604f3508e7c0fe187f1ae45070616230bd0fb7b Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 3 May 2023 12:32:35 +0200 Subject: [PATCH] update.. --- hosts | 45 +- roles/firewall/tasks/main.yml | 6 +- roles/modify-ipt-server/tasks/ipt-server.yml | 593 +++++++++++++++++++ roles/modify-ipt-server/tasks/main.yml | 572 +----------------- 4 files changed, 616 insertions(+), 600 deletions(-) create mode 100644 roles/modify-ipt-server/tasks/ipt-server.yml diff --git a/hosts b/hosts index 393ac93..bc8bd2c 100644 --- a/hosts +++ b/hosts @@ -14,6 +14,12 @@ rage.so36.net ansible_user=ckubu #kvm05.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 #kvm13.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 +[no_ipt_firewall] + +lxc-host-kb.anw-kb.netz +o33.oopen.de +o25.oopen.de + [dns_sinma] @@ -122,13 +128,11 @@ o13-web.oopen.de o17.oopen.de test.mx.oopen.de -meet2.oopen.de o18.oopen.de o20.oopen.de -o21.oopen.de o31.oopen.de mail.cadus.org web.cadus.org @@ -170,7 +174,7 @@ o28.oopen.de # - o29.oopen.de Backup Server o29.oopen.de backup.oopen.de -gitea.oopen.de +git.oopen.de # AK - Server Nextcloud/Jitsi Meet o30.oopen.de @@ -277,14 +281,12 @@ o13-web.oopen.de o17.oopen.de test.mx.oopen.de test.mariadb.oopen.de -meet2.oopen.de o18.oopen.de # - o20.oopen.de (srv-cityslang.cityslang.com) o20.oopen.de -o21.oopen.de o31.oopen.de mail.cadus.org web.cadus.org @@ -330,9 +332,7 @@ o28.oopen.de o29.oopen.de backup.oopen.de git.oopen.de -gitea.oopen.de munin.oopen.de -nscache.oopen.de # AK - Server Nextcloud/Jitsi Meet o30.oopen.de @@ -496,7 +496,6 @@ munin.oopen.de # o20.oopen.de (srv-cityslang.cityslang.com) o20.oopen.de -# o21.oopen.de # o31.oopen.de web.cadus.org wiki.cadus.org @@ -645,7 +644,6 @@ o13-board.oopen.de o13-pad.oopen.de # o17.oopen.de -meet2.oopen.de # o23.oopen.de cp-01.oopen.de @@ -697,7 +695,6 @@ initiativenserver.oopen.de o13-web.oopen.de -# o21.oopen.de # o31.oopen.de web.cadus.org wiki.cadus.org @@ -751,7 +748,6 @@ o13-schleuder.oopen.de # o17.oopen.de test.mx.oopen.de -# o21.oopen.de # o31.oopen.de mail.cadus.org @@ -864,11 +860,6 @@ test.mariadb.oopen.de # o20.oopen.de (srv-cityslang.cityslang.com) o20.oopen.de -# o21.oopen.de -web.cadus.org -wiki.cadus.org -mail.cadus.org - # o22.oopen.de oolm-db-dev.oopen.de oolm-db.oopen.de @@ -898,6 +889,11 @@ backup.oopen.de # o30.oopen.de - AK server Jitsi Meet/Nextcloud cloud.akweb.de +# o31.oopen.de +web.cadus.org +wiki.cadus.org +mail.cadus.org + # etventure o32.oopen.de @@ -1026,9 +1022,7 @@ o13-mail.oopen.de test.mx.oopen.de # o29.oopen.de -nscache.oopen.de -# o21.oopen.de # o31.oopen.de mail.cadus.org @@ -1144,7 +1138,6 @@ file-fhxb.fhxb.netz # Not usefull for gateways of office networks # [local_resolver] -nscache.oopen.de [ntp_server] @@ -1155,7 +1148,6 @@ nscache.oopen.de [jitsi_meet_server] # o17.oopen.de -meet2.oopen.de # o23.oopen.de meet.oopen.de @@ -1186,7 +1178,6 @@ o13.oopen.de o17.oopen.de o18.oopen.de #o20.oopen.de -o21.oopen.de o22.oopen.de o23.oopen.de o24.oopen.de @@ -1257,9 +1248,7 @@ o13-web.oopen.de # - o17.oopen.de test.mx.oopen.de test.mariadb.oopen.de -meet2.oopen.de -# - o21.oopen.de # - o31.oopen.de mail.cadus.org web.cadus.org @@ -1294,9 +1283,7 @@ o26.oopen.de # o29.oopen.de backup.oopen.de git.oopen.de -gitea.oopen.de munin.oopen.de -nscache.oopen.de # o30.oopen.de - AK Server Nextcloud/Jitsi Meet meet.akweb.de @@ -1424,14 +1411,11 @@ o13-web.oopen.de o17.oopen.de test.mx.oopen.de test.mariadb.oopen.de -meet2.oopen.de # - o20.oopen.de (srv-cityslang.cityslang.com) o20.oopen.de -# - o21.oopen.de # - o31.oopen.de -o21.oopen.de o31.oopen.de mail.cadus.org web.cadus.org @@ -1477,8 +1461,6 @@ o28.oopen.de o29.oopen.de backup.oopen.de git.oopen.de -gitea.oopen.de -nscache.oopen.de munin.oopen.de # AK - Server Nextcloud/Jitsi Meet @@ -1506,6 +1488,7 @@ d.mx.oopen.de a.mx.oopen.de # o36 - b.mx, web-01, web-03,-- +o36.oopen.de b.mx.oopen.de matomo-01.oopen.de web-03.oopen.de @@ -1569,8 +1552,6 @@ gateway_server_ro gateway_server_rw - - [warenform_server] # server18 diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 82b4bfb..5be151b 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -5,7 +5,8 @@ # apt-caching-nameserver - import_tasks: ipt-server.yml when: - - groups['gateway_server']|string is not search(inventory_hostname) + - inventory_hostname not in groups['gateway_server'] + - inventory_hostname not in groups['no_ipt_firewall'] tags: - git-firewall-repository - ipt-server @@ -13,7 +14,8 @@ - import_tasks: ipt-gateway.yml when: - - groups['gateway_server']|string is search(inventory_hostname) + - inventory_hostname in groups['gateway_server'] + - inventory_hostname not in groups['no_ipt_firewall'] tags: - git-firewall-repository - ipt-gateway diff --git a/roles/modify-ipt-server/tasks/ipt-server.yml b/roles/modify-ipt-server/tasks/ipt-server.yml new file mode 100644 index 0000000..e978d27 --- /dev/null +++ b/roles/modify-ipt-server/tasks/ipt-server.yml @@ -0,0 +1,593 @@ +--- + +# === +# Install/Uodate git firewall repository +# === + +#- meta: end_play +# when: +# - inventory_hostname in groups['gateway_server'] or inventory_hostname in groups['no_ipt_firewall'] or git_firewall_repository is not defined or git_firewall_repository|length < 1 + + +- name: Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository|length > 0 + + +# === +# Some Checks +# === + +- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + +- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + +- name: Check if file '/etc/ipt-firewall/interfaces_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + +- name: Check if file '/etc/ipt-firewall/interfaces_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + +- name: Check if file '/etc/munin/munin-node.conf' exists + stat: + path: /etc/munin/munin-node.conf + register: munin_node_exists + + +# === +# Adjust/Correct some values.. +# === + +- name: addjust line 'munin_remote_ip' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^munin_remote_ip=' + line: 'munin_remote_ip="{{ munin_remote_ipv4 }}"' + when: + - main_ipv4_exists.stat.exists + notify: + - Restart IPv4 Firewall + +- name: addjust line 'munin_remote_ip' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^munin_remote_ip=' + line: 'munin_remote_ip="{{ munin_remote_ipv6 }}"' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + +- name: addjust line 'vpn_ifs' (IPv4) + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^vpn_ifs=' + line: 'vpn_ifs="tun+"' + when: + - interfaces_ipv4_exists.stat.exists + notify: + - Restart IPv4 Firewall + +- name: addjust line 'vpn_ifs' (IPv6) + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^vpn_ifs=' + line: 'vpn_ifs="tun+"' + when: + - interfaces_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + + +# === +# Add some Code Block. +# === + +# --- +# Wireguard Service +# --- + +- name: Check if String 'wg_ifs=..' is present in interfaces_ipv4.conf + shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv4.conf + register: wg_ifs_interfaces_ipv4_present + when: interfaces_ipv4_exists.stat.exists + failed_when: "wg_ifs_interfaces_ipv4_present.rc > 1" + changed_when: "wg_ifs_interfaces_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs) + blockinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + insertafter: '^#?\s*vpn_ifs' + block: | + + # - Wireguard Interfaces + # - (comma separated list 'wg+' is also possible) + wg_ifs="wg+" + + marker: "# Marker set by modify-ipt-server.yml (wg_ifs)" + when: + - interfaces_ipv4_exists.stat.exists + - wg_ifs_interfaces_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'wg_ifs=..' is present in interfaces_ipv6.conf + shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv6.conf + register: wg_ifs_interfaces_ipv6_present + when: interfaces_ipv6_exists.stat.exists + failed_when: "wg_ifs_interfaces_ipv6_present.rc > 1" + changed_when: "wg_ifs_interfaces_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs) + blockinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + insertafter: '^#?\s*vpn_ifs' + block: | + + # - Wireguard Interfaces + # - (comma separated list 'wg+' is also possible) + wg_ifs="wg+" + + marker: "# Marker set by modify-ipt-server.yml (wg_ifs)" + when: + - interfaces_ipv6_exists.stat.exists + - wg_ifs_interfaces_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + + +- name: Check if String 'lxc_guest_ips=..' is present in interfaces_ipv4.conf + shell: grep -q -E "^lxc_guest_ips=" /etc/ipt-firewall/interfaces_ipv4.conf + register: lxc_guest_ips_interfaces_ipv4_present + when: interfaces_ipv4_exists.stat.exists + failed_when: "lxc_guest_ips_interfaces_ipv4_present.rc > 1" + changed_when: "lxc_guest_ips_interfaces_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (lxc_guest_ips) + blockinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + insertafter: '^#?\s*local_3_ip' + block: | + local_ips="$local_1_ip $local_2_ip $local_3_ip" + + + # ------------- + # --- IP-Addresses LXC Guest sSystems + # ------------- + + # for _guest in $(lxc-ls) ; do echo ; lxc-info -n $_guest | grep -E "(IP:|Name:)" ; done + + # NOT IN USE + lxc_guest_1_ip="" + # NOT IN USE + lxc_guest_2_ip="" + # NOT IN USE + lxc_guest_3_ip="" + # NOT IN USE + lxc_guest_4_ip="" + # NOT IN USE + lxc_guest_5_ip="" + # NOT IN USE + lxc_guest_6_ip="" + # NOT IN USE + lxc_guest_7_ip="" + + lxc_guest_ips="$lxc_guest_1_ip $lxc_guest_2_ip $lxc_guest_3_ip $lxc_guest_4_ip $lxc_guest_5_ip $lxc_guest_6_ip $lxc_guest_7_ip" + + marker: "# Marker set by modify-ipt-server.yml (lxc_guest_ips)" + when: + - interfaces_ipv4_exists.stat.exists + - lxc_guest_ips_interfaces_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'lxc_guest_ips=..' is present in interfaces_ipv6.conf + shell: grep -q -E "^lxc_guest_ips=" /etc/ipt-firewall/interfaces_ipv6.conf + register: lxc_guest_ips_interfaces_ipv6_present + when: interfaces_ipv6_exists.stat.exists + failed_when: "lxc_guest_ips_interfaces_ipv6_present.rc > 1" + changed_when: "lxc_guest_ips_interfaces_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (lxc_guest_ips) + blockinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + insertafter: '^#?\s*local_3_ip' + block: | + local_ips="$local_1_ip $local_2_ip $local_3_ip" + + + # ------------- + # --- IP-Addresses LXC Guest sSystems + # ------------- + + # for _guest in $(lxc-ls) ; do echo ; lxc-info -n $_guest | grep -E "(IP:|Name:)" ; done + + # NOT IN USE + lxc_guest_1_ip="" + # NOT IN USE + lxc_guest_2_ip="" + # NOT IN USE + lxc_guest_3_ip="" + # NOT IN USE + lxc_guest_4_ip="" + # NOT IN USE + lxc_guest_5_ip="" + # NOT IN USE + lxc_guest_6_ip="" + # NOT IN USE + lxc_guest_7_ip="" + + lxc_guest_ips="$lxc_guest_1_ip $lxc_guest_2_ip $lxc_guest_3_ip $lxc_guest_4_ip $lxc_guest_5_ip $lxc_guest_6_ip $lxc_guest_7_ip" + + marker: "# Marker set by modify-ipt-server.yml (lxc_guest_ips)" + when: + - interfaces_ipv6_exists.stat.exists + - lxc_guest_ips_interfaces_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + +- name: Check if String 'do_not_firewall_lx_guest_systems=..' is present + shell: grep -q -E "^do_not_firewall_lx_guest_systems=" /etc/ipt-firewall/main_ipv4.conf + register: wireguard_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "wireguard_service_ipv4_present.rc > 1" + changed_when: "wireguard_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (do_not_firewall_lx_guest_systems) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*do_not_firewall_bridged_traffic' + block: | + + # ------------- + # --- Do not firewall traffic from and to LX Gust Systems + # ------------- + + # - Traffic to hosted LX containers are not firewalled here. + # - + do_not_firewall_lx_guest_systems=false + marker: "# Marker set by modify-ipt-server.yml (wireguard_service)" + when: + - main_ipv4_exists.stat.exists + - wireguard_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'do_not_firewall_lx_guest_systems=..' is present + shell: grep -q -E "^do_not_firewall_lx_guest_systems=" /etc/ipt-firewall/main_ipv6.conf + register: wireguard_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "wireguard_service_ipv6_present.rc > 1" + changed_when: "wireguard_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (do_not_firewall_lx_guest_systems) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*do_not_firewall_bridged_traffic' + block: | + + # ------------- + # --- Do not firewall traffic from and to LX Gust Systems + # ------------- + + # - Traffic to hosted LX containers are not firewalled here. + # - + do_not_firewall_lx_guest_systems=false + marker: "# Marker set by modify-ipt-server.yml (wireguard_service)" + when: + - main_ipv6_exists.stat.exists + - wireguard_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + +# --- +# Mattermost (MM) Service +# --- + +- name: Check if String 'mm_server_ips=..' is present + shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: mattermost_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mattermost_service_ipv4_present.rc > 1" + changed_when: "mattermost_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mattermost_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*http_ports' + block: | + + # - Mattermost (MM) Service + # - + mm_server_ips="" + forward_mm_server_ips="" + + # - UDP Ports IN and OUT used by MM Servive + # - + mm_udp_ports_in="$stansard_mattermost_udp_ports_in" + mm_udp_ports_out="$stansard_mattermost_udp_ports_out" + + marker: "# Marker set by modify-ipt-server.yml (mattermost_service)" + when: + - main_ipv4_exists.stat.exists + - mattermost_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'mm_server_ips=..' is present + shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: mattermost_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "mattermost_service_ipv6_present.rc > 1" + changed_when: "mattermost_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mattermost_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*http_ports' + block: | + + # - Mattermost (MM) Service + # - + mm_server_ips="" + forward_mm_server_ips="" + + # - UDP Ports IN and OUT used by MM Servive + # - + mm_udp_ports_in="$stansard_mattermost_udp_ports_in" + mm_udp_ports_out="$stansard_mattermost_udp_ports_out" + + marker: "# Marker set by modify-ipt-server.yml (mattermost_service)" + when: + - main_ipv6_exists.stat.exists + - mattermost_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + + +# --- +# Protection against and Limit Connections settings +# --- + +- name: Check if String 'protection_against_syn_flooding=..' is present + shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv4.conf + register: protect_settings_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "protect_settings_ipv4_present.rc > 1" + changed_when: "protect_settings_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*create_iperf_rules' + block: | + + # ------------- + # - Protection against ... + # ------------- + + # - Protection against syn-flooding + # - + protection_against_syn_flooding=true + + # - Protection against port scanning + # - + protection_against_port_scanning=true + + # - Protection against SSH brute-force attacks + # - + protection_against_ssh_brute_force_attacks=true + + + # ------------- + # - Limit Connections + # ------------- + + # - Limit connections per source IP + # - + limit_connections_per_source_IP=true + + # - Limit RST packets + # - + limit_rst_packets=true + + # - Limit new TCP connections per second per source IP + # - + limit_new_tcp_connections_per_seconds_per_source_IP=true + + marker: "# Marker set by modify-ipt-server.yml (protect_settings)" + when: + - main_ipv4_exists.stat.exists + - protect_settings_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'protection_against_syn_flooding=..' is present + shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv6.conf + register: protect_settings_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "protect_settings_ipv6_present.rc > 1" + changed_when: "protect_settings_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*create_iperf_rules' + block: | + + # ------------- + # - Protection against ... + # ------------- + + # - Protection against syn-flooding + # - + protection_against_syn_flooding=true + + # - Protection against port scanning + # - + protection_against_port_scanning=true + + # - Protection against SSH brute-force attacks + # - + protection_against_ssh_brute_force_attacks=true + + + # ------------- + # - Limit Connections + # ------------- + + # - Limit connections per source IP + # - + limit_connections_per_source_IP=true + + # - Limit RST packets + # - + limit_rst_packets=true + + # - Limit new TCP connections per second per source IP + # - + limit_new_tcp_connections_per_seconds_per_source_IP=true + + marker: "# Marker set by modify-ipt-server.yml (protect_settings)" + when: + - main_ipv6_exists.stat.exists + - protect_settings_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + +# === +# Remove Marker set by blockinfile +# === + +- name: Remove marker IPv4 + replace : + path: /etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + +- name: Remove marker IPv6 + replace : + path: /etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists + +- name: Remove marker IPv4 from interfaces_ipv4.conf + replace : + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + when: + - interfaces_ipv4_exists.stat.exists + +- name: Remove marker IPv6 from interfaces_ipv6.conf + replace : + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + when: + - interfaces_ipv6_exists.stat.exists + +# === +# Confiuration Files +# === + +- name: Check if configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: + - git_firewall_repository is defined and git_firewall_repository|length > 0 + loop: + - default_ports.conf + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - post_decalrations.conf + register: diff_script_output + +- name: Ensure configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} + loop: + - default_ports.conf + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - post_decalrations.conf + when: + - git_firewall_repository is defined and git_firewall_repository|length > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# === +# Firewall scripts +# === + +- name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: + - git_firewall_repository is defined and git_firewall_repository|length > 0 + loop: + - ipt-firewall-server + - ip6t-firewall-server + register: diff_script_output + +- name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-server + - ip6t-firewall-server + when: + - git_firewall_repository is defined and git_firewall_repository|length > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + diff --git a/roles/modify-ipt-server/tasks/main.yml b/roles/modify-ipt-server/tasks/main.yml index caa7e93..f892886 100644 --- a/roles/modify-ipt-server/tasks/main.yml +++ b/roles/modify-ipt-server/tasks/main.yml @@ -1,569 +1,9 @@ --- -# === -# Install/Uodate git firewall repository -# === - -- meta: end_play - when: git_firewall_repository is not defined or git_firewall_repository|length < 1 - - -- name: Install/update firewall repository - git: - repo: '{{ git_firewall_repository.repo }}' - dest: '{{ git_firewall_repository.dest }}' - when: git_firewall_repository is defined and git_firewall_repository|length > 0 - - -# === -# Some Checks -# === - -- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv6.conf - register: main_ipv6_exists - -- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv4.conf - register: main_ipv4_exists - -- name: Check if file '/etc/ipt-firewall/interfaces_ipv6.conf' exists - stat: - path: /etc/ipt-firewall/interfaces_ipv6.conf - register: interfaces_ipv6_exists - -- name: Check if file '/etc/ipt-firewall/interfaces_ipv4.conf' exists - stat: - path: /etc/ipt-firewall/interfaces_ipv4.conf - register: interfaces_ipv4_exists - -- name: Check if file '/etc/munin/munin-node.conf' exists - stat: - path: /etc/munin/munin-node.conf - register: munin_node_exists - - -# === -# Adjust/Correct some values.. -# === - -- name: addjust line 'munin_remote_ip' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^munin_remote_ip=' - line: 'munin_remote_ip="{{ munin_remote_ipv4 }}"' - when: - - main_ipv4_exists.stat.exists - notify: - - Restart IPv4 Firewall - -- name: addjust line 'munin_remote_ip' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^munin_remote_ip=' - line: 'munin_remote_ip="{{ munin_remote_ipv6 }}"' - when: - - main_ipv6_exists.stat.exists - notify: - - Restart IPv6 Firewall - -- name: addjust line 'vpn_ifs' (IPv4) - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - regexp: '^vpn_ifs=' - line: 'vpn_ifs="tun+"' - when: - - interfaces_ipv4_exists.stat.exists - notify: - - Restart IPv4 Firewall - -- name: addjust line 'vpn_ifs' (IPv6) - lineinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - regexp: '^vpn_ifs=' - line: 'vpn_ifs="tun+"' - when: - - interfaces_ipv6_exists.stat.exists - notify: - - Restart IPv6 Firewall - - -# === -# Add some Code Block. -# === - -# --- -# Wireguard Service -# --- - -- name: Check if String 'wg_ifs=..' is present in interfaces_ipv4.conf - shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv4.conf - register: wg_ifs_interfaces_ipv4_present - when: interfaces_ipv4_exists.stat.exists - failed_when: "wg_ifs_interfaces_ipv4_present.rc > 1" - changed_when: "wg_ifs_interfaces_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - insertafter: '^#?\s*vpn_ifs' - block: | - - # - Wireguard Interfaces - # - (comma separated list 'wg+' is also possible) - wg_ifs="wg+" - - marker: "# Marker set by modify-ipt-server.yml (wg_ifs)" +- import_tasks: ipt-server.yml when: - - interfaces_ipv4_exists.stat.exists - - wg_ifs_interfaces_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'wg_ifs=..' is present in interfaces_ipv6.conf - shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv6.conf - register: wg_ifs_interfaces_ipv6_present - when: interfaces_ipv6_exists.stat.exists - failed_when: "wg_ifs_interfaces_ipv6_present.rc > 1" - changed_when: "wg_ifs_interfaces_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - insertafter: '^#?\s*vpn_ifs' - block: | - - # - Wireguard Interfaces - # - (comma separated list 'wg+' is also possible) - wg_ifs="wg+" - - marker: "# Marker set by modify-ipt-server.yml (wg_ifs)" - when: - - interfaces_ipv6_exists.stat.exists - - wg_ifs_interfaces_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -- name: Check if String 'nat_devices=..' is present in interfaces_ipv4.conf - shell: grep -q -E "^nat_devices=" /etc/ipt-firewall/interfaces_ipv4.conf - register: nat_devices_interfaces_ipv4_present - when: interfaces_ipv4_exists.stat.exists - failed_when: "nat_devices_interfaces_ipv4_present.rc > 1" - changed_when: "nat_devices_interfaces_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (nat_devices) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - insertafter: '^#?\s*local_2_ip' - block: | - - # - Devices given in list "nat_devices" will be natted - # - - # - Blank separated list - # - - nat_devices="" - - marker: "# Marker set by modify-ipt-server.yml (nat_devices)" - when: - - interfaces_ipv4_exists.stat.exists - - nat_devices_interfaces_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'nat_devices=..' is present in interfaces_ipv6.conf - shell: grep -q -E "^nat_devices=" /etc/ipt-firewall/interfaces_ipv6.conf - register: nat_devices_interfaces_ipv6_present - when: interfaces_ipv6_exists.stat.exists - failed_when: "nat_devices_interfaces_ipv6_present.rc > 1" - changed_when: "nat_devices_interfaces_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (nat_devices) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - insertafter: '^#?\s*local_2_ip' - block: | - - # - Devices given in list "nat_devices" will be natted - # - - # - Blank separated list - # - - nat_devices="" - - marker: "# Marker set by modify-ipt-server.yml (nat_devices)" - when: - - interfaces_ipv6_exists.stat.exists - - nat_devices_interfaces_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -- name: Check if String 'wireguard_server_ips=..' is present - shell: grep -q -E "^wireguard_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: wireguard_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "wireguard_service_ipv4_present.rc > 1" - changed_when: "wireguard_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (wireguard_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_ports' - block: | - - # - WireGuard Service - # - - wireguard_server_ips="" - forward_wireguard_server_ips="" - - # - WireGuard Ports used by local Service - # - - # - Blank separated list - # - - wireguard_server_ports="$standard_wireguard_port" - - # - Remote WireGuard Ports - # - - wireguard_out_ports="$standard_wireguard_port" - - marker: "# Marker set by modify-ipt-server.yml (wireguard_service)" - when: - - main_ipv4_exists.stat.exists - - wireguard_service_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'wireguard_server_ips=..' is present - shell: grep -q -E "^wireguard_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: wireguard_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "wireguard_service_ipv6_present.rc > 1" - changed_when: "wireguard_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (wireguard_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_ports' - block: | - - # - WireGuard Service - # - - wireguard_server_ips="" - forward_wireguard_server_ips="" - - # - WireGuard Ports used by local Service - # - - # - Blank separated list - # - - wireguard_server_ports="$standard_wireguard_port" - - # - Remote WireGuard Ports - # - - wireguard_out_ports="$standard_wireguard_port" - - marker: "# Marker set by modify-ipt-server.yml (wireguard_service)" - when: - - main_ipv6_exists.stat.exists - - wireguard_service_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -# --- -# Mattermost (MM) Service -# --- - -- name: Check if String 'mm_server_ips=..' is present - shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: mattermost_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mattermost_service_ipv4_present.rc > 1" - changed_when: "mattermost_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mattermost_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*http_ports' - block: | - - # - Mattermost (MM) Service - # - - mm_server_ips="" - forward_mm_server_ips="" - - # - UDP Ports IN and OUT used by MM Servive - # - - mm_udp_ports_in="$stansard_mattermost_udp_ports_in" - mm_udp_ports_out="$stansard_mattermost_udp_ports_out" - - marker: "# Marker set by modify-ipt-server.yml (mattermost_service)" - when: - - main_ipv4_exists.stat.exists - - mattermost_service_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'mm_server_ips=..' is present - shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: mattermost_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "mattermost_service_ipv6_present.rc > 1" - changed_when: "mattermost_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mattermost_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*http_ports' - block: | - - # - Mattermost (MM) Service - # - - mm_server_ips="" - forward_mm_server_ips="" - - # - UDP Ports IN and OUT used by MM Servive - # - - mm_udp_ports_in="$stansard_mattermost_udp_ports_in" - mm_udp_ports_out="$stansard_mattermost_udp_ports_out" - - marker: "# Marker set by modify-ipt-server.yml (mattermost_service)" - when: - - main_ipv6_exists.stat.exists - - mattermost_service_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - - -# --- -# Protection against and Limit Connections settings -# --- - -- name: Check if String 'protection_against_syn_flooding=..' is present - shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv4.conf - register: protect_settings_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "protect_settings_ipv4_present.rc > 1" - changed_when: "protect_settings_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*create_iperf_rules' - block: | - - # ------------- - # - Protection against ... - # ------------- - - # - Protection against syn-flooding - # - - protection_against_syn_flooding=true - - # - Protection against port scanning - # - - protection_against_port_scanning=true - - # - Protection against SSH brute-force attacks - # - - protection_against_ssh_brute_force_attacks=true - - - # ------------- - # - Limit Connections - # ------------- - - # - Limit connections per source IP - # - - limit_connections_per_source_IP=true - - # - Limit RST packets - # - - limit_rst_packets=true - - # - Limit new TCP connections per second per source IP - # - - limit_new_tcp_connections_per_seconds_per_source_IP=true - - marker: "# Marker set by modify-ipt-server.yml (protect_settings)" - when: - - main_ipv4_exists.stat.exists - - protect_settings_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'protection_against_syn_flooding=..' is present - shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv6.conf - register: protect_settings_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "protect_settings_ipv6_present.rc > 1" - changed_when: "protect_settings_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*create_iperf_rules' - block: | - - # ------------- - # - Protection against ... - # ------------- - - # - Protection against syn-flooding - # - - protection_against_syn_flooding=true - - # - Protection against port scanning - # - - protection_against_port_scanning=true - - # - Protection against SSH brute-force attacks - # - - protection_against_ssh_brute_force_attacks=true - - - # ------------- - # - Limit Connections - # ------------- - - # - Limit connections per source IP - # - - limit_connections_per_source_IP=true - - # - Limit RST packets - # - - limit_rst_packets=true - - # - Limit new TCP connections per second per source IP - # - - limit_new_tcp_connections_per_seconds_per_source_IP=true - - marker: "# Marker set by modify-ipt-server.yml (protect_settings)" - when: - - main_ipv6_exists.stat.exists - - protect_settings_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -# === -# Remove Marker set by blockinfile -# === - -- name: Remove marker IPv4 - replace : - path: /etc/ipt-firewall/main_ipv4.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - register: marker_ipv4_removed - #failed_when: "marker_ipv4_removed.rc > 1" - #changed_when: "marker_ipv4_removed.rc < 1" - when: - - main_ipv4_exists.stat.exists - -- name: Remove marker IPv6 - replace : - path: /etc/ipt-firewall/main_ipv6.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - register: marker_ipv6_removed - #failed_when: "marker_ipv6_removed.rc > 1" - #changed_when: "marker_ipv6_removed.rc < 1" - when: - - main_ipv6_exists.stat.exists - -- name: Remove marker IPv4 from interfaces_ipv4.conf - replace : - path: /etc/ipt-firewall/interfaces_ipv4.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - when: - - interfaces_ipv4_exists.stat.exists - -- name: Remove marker IPv6 from interfaces_ipv6.conf - replace : - path: /etc/ipt-firewall/interfaces_ipv6.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - when: - - interfaces_ipv6_exists.stat.exists - -# === -# Confiuration Files -# === - -- name: Check if configuration files are latest - shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' - changed_when: "diff_script_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_script_output.rc > 2" - when: - - git_firewall_repository is defined and git_firewall_repository|length > 0 - loop: - - default_ports.conf - - include_functions.conf - - load_modules_ipv4.conf - - load_modules_ipv6.conf - - logging_ipv4.conf - - logging_ipv6.conf - - post_decalrations.conf - register: diff_script_output - -- name: Ensure configuration files are latest - command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} - loop: - - default_ports.conf - - include_functions.conf - - load_modules_ipv4.conf - - load_modules_ipv6.conf - - logging_ipv4.conf - - logging_ipv6.conf - - post_decalrations.conf - when: - - git_firewall_repository is defined and git_firewall_repository|length > 0 - - diff_script_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - -# === -# Firewall scripts -# === - -- name: Check if firewall scripts are latest - shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' - changed_when: "diff_script_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_script_output.rc > 2" - when: - - git_firewall_repository is defined and git_firewall_repository|length > 0 - loop: - - ipt-firewall-server - - ip6t-firewall-server - register: diff_script_output - -- name: Ensure firewall scripts are latest - command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} - loop: - - ipt-firewall-server - - ip6t-firewall-server - when: - - git_firewall_repository is defined and git_firewall_repository|length > 0 - - diff_script_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - + - inventory_hostname not in groups['gateway_server'] + - inventory_hostname not in groups['no_ipt_firewall'] + tags: + - git-firewall-repository + - ipt-server