284 lines
9.0 KiB
YAML
284 lines
9.0 KiB
YAML
---
|
|
# # ---
|
|
# # - Check if firewall repository exist
|
|
# # ---
|
|
#
|
|
# - name: (ipt-gateway.yml) Check if firewall repository exist
|
|
# stat:
|
|
# path: '{{ git_firewall_repository.dest }}'
|
|
# register: git_firewall_repository_exists
|
|
#
|
|
# - meta: end_host
|
|
# when: not git_firewall_repository_exists.stat.exists
|
|
|
|
# ---
|
|
# Create firewall config directory '/etc/ipt/firewall' if not exists
|
|
# ---
|
|
|
|
- name: (ipt-gateway.yml) Install/update firewall repository
|
|
git:
|
|
repo: '{{ git_firewall_repository.repo }}'
|
|
dest: '{{ git_firewall_repository.dest }}'
|
|
when: git_firewall_repository is defined and git_firewall_repository|length > 0
|
|
tags:
|
|
- git-firewall-repository
|
|
|
|
# Exit if no firewall repository variable exists or is empty
|
|
#
|
|
- meta: end_host
|
|
when: git_firewall_repository is not defined or git_firewall_repository|length < 1
|
|
|
|
- name: (ipt-gateway.yml) Create directory /etc/ipt-firewall if not exists
|
|
file:
|
|
path: /etc/ipt-firewall
|
|
state: directory
|
|
|
|
# ---
|
|
# Check presence of files
|
|
# ---
|
|
|
|
- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv4.conf are present
|
|
stat:
|
|
path: /etc/ipt-firewall/interfaces_ipv4.conf
|
|
register: interfaces_ipv4_exists
|
|
|
|
- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv6.conf are present
|
|
stat:
|
|
path: /etc/ipt-firewall/interfaces_ipv6.conf
|
|
register: interfaces_ipv6_exists
|
|
|
|
- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv4.conf' exists
|
|
stat:
|
|
path: /etc/ipt-firewall/main_ipv4.conf
|
|
register: main_ipv4_exists
|
|
|
|
- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv6.conf' exists
|
|
stat:
|
|
path: /etc/ipt-firewall/main_ipv6.conf
|
|
register: main_ipv6_exists
|
|
|
|
- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/ban_ipv4.list are present
|
|
stat:
|
|
path: /etc/ipt-firewall/ban_ipv4.list
|
|
register: ban_ipv4_exists
|
|
|
|
# ---
|
|
# Get information about network devices
|
|
# ---
|
|
|
|
- name: (ipt-gateway.yml) define traditional ethernet facts
|
|
set_fact:
|
|
ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
|
|
when:
|
|
- not interfaces_ipv4_exists.stat.exists
|
|
- hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
|
|
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
|
|
- inventory_hostname not in groups['lxc_host']|string
|
|
with_items:
|
|
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
|
|
|
|
- name: (ipt-gateway.yml) define traditional bridge facts
|
|
set_fact:
|
|
ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
|
|
when:
|
|
- not interfaces_ipv4_exists.stat.exists
|
|
- hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
|
|
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
|
|
- "groups['lxc_host']|string is search(inventory_hostname)"
|
|
with_items:
|
|
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
|
|
|
|
- name: (ipt-gateway.yml) Debug message IPv4
|
|
debug:
|
|
msg:
|
|
- "index: {{ idx + 1 }}"
|
|
- "device: {{ item.device }}"
|
|
- "ipv4-address: {{ item.ipv4.address }}"
|
|
loop: "{{ ansible_netdev }}"
|
|
loop_control:
|
|
label: "{{ item.device }}"
|
|
index_var: idx
|
|
when:
|
|
- item.ipv4.address is defined and item.ipv4.address|length > 0
|
|
|
|
- name: (ipt-gateway.yml) Debug message IPv6
|
|
debug:
|
|
msg:
|
|
- "index: {{ idx + 1 }}"
|
|
- "device: {{ item.device }}"
|
|
- "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}"
|
|
loop: "{{ ansible_netdev }}"
|
|
loop_control:
|
|
label: "{{ item.device }}"
|
|
index_var: idx
|
|
when:
|
|
- item.default_ipv6 is defined and item.default_ipv6|length > 0
|
|
- item.ipv6.0.address is defined and item.ipv6.0.address|length > 0
|
|
|
|
#- meta: end_host
|
|
|
|
# ---
|
|
# Get sshd ports
|
|
# ---
|
|
|
|
- name: (ipt-gateway.yml) Get sshd ports as blank separated list
|
|
set_fact:
|
|
fw_sshd_ports: "{{ sshd_ports | join (' ') }}"
|
|
when:
|
|
- sshd_ports is defined and sshd_ports | length > 0
|
|
- sshd_ports|join() != "22"
|
|
|
|
- name: (ipt-gateway.yml) Set default sshd ports
|
|
set_fact:
|
|
fw_sshd_ports: "$standard_ssh_port"
|
|
when:
|
|
- sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22"
|
|
|
|
# ===
|
|
# Update/Modify firewall
|
|
# ===
|
|
|
|
# ---
|
|
# Host specific configuration files
|
|
# ---
|
|
|
|
# /etc/ipt-firewall/interfaces_ipv[4|6].conf
|
|
#
|
|
- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf'
|
|
command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf
|
|
when: not interfaces_ipv4_exists.stat.exists
|
|
register: new_interfaces_ipv4
|
|
|
|
|
|
- name: (ipt-gateway.yml) Configure interfaces_ipv4.conf 1/2
|
|
lineinfile:
|
|
path: /etc/ipt-firewall/interfaces_ipv4.conf
|
|
regexp: 'local_if_1='
|
|
line: 'local_if_1="{{ item.device }}"'
|
|
register: interfaces_ipv4_device
|
|
loop: "{{ ansible_netdev }}"
|
|
loop_control:
|
|
label: "{{ item.device }}"
|
|
until:
|
|
- interfaces_ipv4_device is changed
|
|
when:
|
|
- not interfaces_ipv4_exists.stat.exists
|
|
- new_interfaces_ipv4 is changed
|
|
- item.ipv4.address is defined and item.ipv4.address|length > 0
|
|
|
|
# /etc/ipt-firewall/ban_ipv[4|6].list
|
|
#
|
|
- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/ban_ipv4.list'
|
|
command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list
|
|
when: not ban_ipv4_exists.stat.exists
|
|
|
|
# /etc/ipt-firewall/main_ipv[4|6].conf
|
|
#
|
|
- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv4.conf'
|
|
command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf
|
|
when: not main_ipv4_exists.stat.exists
|
|
register: cp_main_ipv4
|
|
|
|
- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv6.conf'
|
|
command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf
|
|
when: not main_ipv6_exists.stat.exists
|
|
register: cp_main_ipv6
|
|
|
|
# ---
|
|
# Host independet configuration files
|
|
# ---
|
|
|
|
- name: (ipt-gateway.yml) Check if common configuration files are latest
|
|
shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1'
|
|
changed_when: "diff_output.rc > 0"
|
|
# diff_output.rc
|
|
# 0 -> unchanged
|
|
# 1 -> changed
|
|
# 2 -> not present
|
|
failed_when: "diff_output.rc > 2"
|
|
when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
|
|
loop:
|
|
- include_functions.conf
|
|
- load_modules_ipv4.conf
|
|
- load_modules_ipv6.conf
|
|
- logging_ipv4.conf
|
|
- logging_ipv6.conf
|
|
- default_ports.conf
|
|
- post_decalrations.conf
|
|
register: diff_output
|
|
|
|
- name: (ipt-gateway.yml) Ensure common configuration files are latest
|
|
command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }}
|
|
loop:
|
|
- include_functions.conf
|
|
- load_modules_ipv4.conf
|
|
- load_modules_ipv6.conf
|
|
- logging_ipv4.conf
|
|
- logging_ipv6.conf
|
|
- default_ports.conf
|
|
- post_decalrations.conf
|
|
when:
|
|
- (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
|
|
- diff_output.changed
|
|
|
|
# ---
|
|
# Firewall scripts
|
|
# ---
|
|
|
|
- name: (ipt-gateway.yml) Check if firewall scripts are latest
|
|
shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1'
|
|
changed_when: "diff_script_output.rc > 0"
|
|
# diff_output.rc
|
|
# 0 -> unchanged
|
|
# 1 -> changed
|
|
# 2 -> not present
|
|
failed_when: "diff_script_output.rc > 2"
|
|
when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
|
|
loop:
|
|
- ipt-firewall-gateway
|
|
- ip6t-firewall-gateway
|
|
register: diff_script_output
|
|
|
|
- name: (ipt-gateway.yml) Ensure firewall scripts are latest
|
|
command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }}
|
|
loop:
|
|
- ipt-firewall-gateway
|
|
- ip6t-firewall-gateway
|
|
when:
|
|
- (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
|
|
- diff_script_output.changed
|
|
|
|
# ---
|
|
# Install systemd service files ip[6]t-firewall.service
|
|
# ---
|
|
|
|
- name: (ipt-gateway.yml) Configure firewall systemd service files
|
|
template:
|
|
src: etc/systemd/system/{{ item }}-firewall.service.j2
|
|
dest: /etc/systemd/system/{{ item }}-firewall.service
|
|
register: systemd_service_files_installed
|
|
with_items:
|
|
- ipt
|
|
- ip6t
|
|
|
|
- name: (ipt-gateway.yml) Enable firewall services IPv4
|
|
systemd:
|
|
name: (ipt-gateway.yml) ipt-firewall
|
|
state: stopped
|
|
enabled: yes
|
|
daemon_reload: yes
|
|
when: systemd_service_files_installed is changed
|
|
register: firewall_service_started
|
|
|
|
- name: (ipt-gateway.yml) Enable firewall services IPv6
|
|
systemd:
|
|
name: (ipt-gateway.yml) ip6t-firewall
|
|
state: stopped
|
|
enabled: yes
|
|
daemon_reload: yes
|
|
when: systemd_service_files_installed is changed
|
|
register: firewall_service_started
|
|
|
|
- meta: end_host
|
|
when: firewall_service_started is changed
|