--- - hosts: all tasks: # --- # Create firewall config directory '/etc/ipt/firewall' if not exists # --- # - name: Install/update firewall repository git: repo: '{{ git_firewall_repository.repo }}' dest: '{{ git_firewall_repository.dest }}' when: git_firewall_repository is defined and git_firewall_repository > 0 tags: - git-firewall-repository - name: Create directory /etc/ipt-firewall if not exists file: path: /etc/ipt-firewall state: directory # --- # Get information about network devices # --- - name: define traditional ethernet facts set_fact: ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" when: - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' - inventory_hostname not in groups['lxc_host']|string with_items: - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - name: define traditional ibridge facts set_fact: #ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}" ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" when: - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' - "groups['lxc_host']|string is search(inventory_hostname)" with_items: - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" - name: Debug message debug: msg: - "index: {{ idx + 1 }}" - "device: {{ item.device }}" - "ipv4-address {{ item.ipv4.address }} " - "ipv6-address: {{ item.ipv6.0.address }}" loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" index_var: idx # --- # Check presence of files # --- - name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present stat: path: /etc/ipt-firewall/interfaces_ipv4.conf register: interfaces_ipv4_exists - name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present stat: path: /etc/ipt-firewall/interfaces_ipv6.conf register: interfaces_ipv6_exists - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists stat: path: /etc/ipt-firewall/main_ipv4.conf register: main_ipv4_exists - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists stat: path: /etc/ipt-firewall/main_ipv6.conf register: main_ipv6_exists - name: Check if /etc/ipt-firewall/ban_ipv4.list are present stat: path: /etc/ipt-firewall/ban_ipv4.list register: ban_ipv4_exists - name: Check if /etc/ipt-firewall/ban_ipv6.list are present stat: path: /etc/ipt-firewall/ban_ipv6.list register: ban_ipv6_exists # === # Update/Modify firewall # === # --- # Host specific configuration files # --- # /etc/ipt-firewall/interfaces_ipv[4|6].conf # - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf when: not interfaces_ipv4_exists.stat.exists register: new_interfaces_ipv4 - name: Configure interfaces_ipv4.conf 1/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv4.conf regexp: '^ext_if_{{ idx + 1 }}=' line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" index_var: idx when: - not interfaces_ipv4_exists.stat.exists - new_interfaces_ipv4 is changed - name: Configure interfaces_ipv4.conf 2/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv4.conf regexp: '^ext_{{ idx + 1 }}_ip=' line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv4.address }}"' loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" index_var: idx when: - not interfaces_ipv4_exists.stat.exists - new_interfaces_ipv4 is changed - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf when: not interfaces_ipv6_exists.stat.exists register: new_interfaces_ipv6 - name: Configure interfaces_ipv6.conf 1/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv6.conf regexp: '^ext_if_{{ idx + 1 }}=' line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" index_var: idx when: - not interfaces_ipv6_exists.stat.exists - new_interfaces_ipv6 is changed - name: Configure interfaces_ipv4.conf 2/2 lineinfile: path: /etc/ipt-firewall/interfaces_ipv6.conf regexp: '^ext_{{ idx + 1 }}_ip=' line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"' loop: "{{ ansible_netdev }}" loop_control: label: "{{ item.device }}" index_var: idx when: - not interfaces_ipv6_exists.stat.exists - new_interfaces_ipv6 is changed # /etc/ipt-firewall/ban_ipv[4|6].list # - name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list when: not ban_ipv4_exists.stat.exists - name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list when: not ban_ipv6_exists.stat.exists # /etc/ipt-firewall/main_ipv[4|6].conf # - name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf when: not main_ipv4_exists.stat.exists register: cp_main_ipv4 - name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf when: not main_ipv6_exists.stat.exists register: cp_main_ipv6 # Configure main_ipv4.conf # - name: Configure main_ipv4.conf (dns_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*dns_server_ips' line: dns_server_ips="$ext_ips" state: present when: - "groups['dns_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - name: Configure main_ipv4.conf (ssh_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*ssh_server_ips' line: ssh_server_ips="$ext_ips" state: present when: - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - name: Configure main_ipv4.conf (http_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*http_server_ips=' line: http_server_ips="$ext_1_ip" state: present when: - "groups['apache2_webserver']|string is search(inventory_hostname) or groups['nginx_webserver']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - name: Configure main_ipv4.conf (mail_client_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*mail_client_ips=' line: mail_client_ips="$ext_1_ip" state: present when: - "groups['apache2_webserver']|string is search(inventory_hostname) or groups['nginx_webserver']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - name: Configure main_ipv4.conf (smtpd_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*smtpd_ips=' line: smtpd_ips="$ext_1_ip" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - name: Configure main_ipv4.conf (mail_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*mail_server_ips=' line: mail_server_ips="$ext_1_ip" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - name: Configure main_ipv4.conf (ftp_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*ftp_server_ips=' line: ftp_server_ips="$ext_1_ip" state: present when: - "groups['ftp_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed - name: Configure main_ipv4.conf (mumble_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^\s*mumble_server_ips=' line: mumble_server_ips="$ext_1_ip" state: present when: - "groups['mumble_server']|string is search(inventory_hostname)" - not main_ipv4_exists.stat.exists - cp_main_ipv4 is changed # Configure main_ipv6.conf # - name: Configure main_ipv6.conf (dns_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*dns_server_ips' line: dns_server_ips="$ext_ips" state: present when: - "groups['dns_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - name: Configure main_ipv6.conf (ssh_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*ssh_server_ips' line: ssh_server_ips="$ext_ips" state: present when: - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - name: Configure main_ipv6.conf (http_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*http_server_ips=' line: http_server_ips="$ext_1_ip" state: present when: - "groups['apache2_webserver']|string is search(inventory_hostname) or groups['nginx_webserver']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - name: Configure main_ipv6.conf (mail_client_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*mail_client_ips=' line: mail_client_ips="$ext_1_ip" state: present when: - "groups['apache2_webserver']|string is search(inventory_hostname) or groups['nginx_webserver']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - name: Configure main_ipv6.conf (smtpd_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*smtpd_ips=' line: smtpd_ips="$ext_1_ip" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - name: Configure main_ipv6.conf (mail_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*mail_server_ips=' line: mail_server_ips="$ext_1_ip" state: present when: - "groups['mail_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - name: Configure main_ipv6.conf (ftp_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*ftp_server_ips=' line: ftp_server_ips="$ext_1_ip" state: present when: - "groups['ftp_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed - name: Configure main_ipv6.conf (mumble_server_ips) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^\s*mumble_server_ips=' line: mumble_server_ips="$ext_1_ip" state: present when: - "groups['mumble_server']|string is search(inventory_hostname)" - not main_ipv6_exists.stat.exists - cp_main_ipv6 is changed # --- # Host independet configuration files # --- - name: Check if common configuration files are latest shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' changed_when: "diff_output.rc > 0" # diff_output.rc # 0 -> unchanged # 1 -> changed # 2 -> not present failed_when: "diff_output.rc > 2" when: git_firewall_repository is defined and git_firewall_repository > 0 loop: - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - default_ports.conf - post_decalrations.conf register: diff_output - name: Ensure common configuration files are latest command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} loop: - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - default_ports.conf - post_decalrations.conf when: - git_firewall_repository is defined and git_firewall_repository > 0 - diff_output.changed notify: - Restart IPv4 Firewall - Restart IPv6 Firewall # --- # Firewall scripts # --- - name: Check if firewall scripts are latest shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' changed_when: "diff_script_output.rc > 0" # diff_output.rc # 0 -> unchanged # 1 -> changed # 2 -> not present failed_when: "diff_script_output.rc > 2" when: git_firewall_repository is defined and git_firewall_repository > 0 loop: - ipt-firewall-server - ip6t-firewall-server register: diff_script_output - name: Ensure firewall scripts are latest command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} loop: - ipt-firewall-server - ip6t-firewall-server when: - git_firewall_repository is defined and git_firewall_repository > 0 - diff_script_output.changed notify: - Restart IPv4 Firewall - Restart IPv6 Firewall handlers: - name: Restart ulogd service: name: ulogd state: restarted - name: Restart IPv4 Firewall service: name: ipt-firewall state: restarted - name: Restart IPv6 Firewall service: name: ip6t-firewall state: restarted