Adapt client_iptables role to support Gentoo

2020-07-11 16:46:19 +02:00 · 2020-07-11 16:46:19 +02:00 · 344f64edb2
parent d4a11210ac
commit 344f64edb2
6 changed files with 20 additions and 18 deletions
--- a/group_vars/os_gentoo.yml
+++ b/group_vars/os_gentoo.yml
@ -15,6 +15,10 @@ sudo_group: wheel
 # Command to run to execute a Gentoo update
 cron_upgrade_job: emerge --sync --quiet && emerge --quiet-build -uvDN @world && emerge --quiet-build @preserved-rebuild && emerge --depclean && eselect news read

+# Define iptables save files for Gentoo
+iptables_save_file: /var/lib/iptables/rules-save
+ip6tables_save_file: /var/lib/ip6tables/rules-save
+
 # Tools to install on Gentoo hosts
 tools_package:
  - bind-tools
--- a/playbook_general_deploy.yml
+++ b/playbook_general_deploy.yml
@ -1,10 +1,10 @@
 ---
 - hosts: all
  roles:
-    - auto_reboot
-    - auto_upgrade
+#    - auto_reboot
+#    - auto_upgrade
+#    - client_ntp
+#    - client_resolvers
+#    - client_tools
+#    - users_sudo
    - client_iptables # OK for Debian (iptables-persistent mode)
-    - client_ntp
-    - client_resolvers
-    - client_tools
-    - users_sudo
--- a/roles/client_iptables/README.md
+++ b/roles/client_iptables/README.md
@ -27,6 +27,10 @@ All variables and default values are defined in `defaults/main.yml` :
    
    # Set to false to avoid iptables configure with this role
    configure_iptables: true
+    
+    # Iptables save files (Ipv4 and IPv6)
+    iptables_save_file: /etc/iptables/rules.v4
+    ip6tables_save_file: /etc/iptables/rules.v6

 Dependencies
 ------------
--- a/roles/client_iptables/defaults/main.yml
+++ b/roles/client_iptables/defaults/main.yml
@ -13,3 +13,7 @@ ip_authorized: []

 # Set to false to avoid iptables configure with this role
 configure_iptables: true
+
+# Iptables save files (Ipv4 and IPv6)
+iptables_save_file: /etc/iptables/rules.v4
+ip6tables_save_file: /etc/iptables/rules.v6
--- a/roles/client_iptables/handlers/main.yml
+++ b/roles/client_iptables/handlers/main.yml
@ -1,8 +1,8 @@
 ---
 - name: save iptables v4 rules
-  shell: iptables-save > /etc/iptables/rules.v4
+  shell: iptables-save > {{ iptables_save_file }}
  listen: persist iptables

 - name: save iptables v6 rules
-  shell: ip6tables-save > /etc/iptables/rules.v6
+  shell: ip6tables-save > {{ ip6tables_save_file }}
  listen: persist iptables
--- a/roles/client_iptables/tasks/iptables.yml
+++ b/roles/client_iptables/tasks/iptables.yml
@ -23,7 +23,6 @@
    chain: INPUT
    in_interface: lo
    jump: ACCEPT
-    comment: Accept localhost connection.
  notify:
    - persist iptables

@ -33,7 +32,6 @@
    chain: INPUT
    in_interface: lo
    jump: ACCEPT
-    comment: Accept localhost connection.
  notify:
    - persist iptables

@ -43,7 +41,6 @@
    chain: INPUT
    protocol: icmp
    jump: ACCEPT
-    comment: Accept ICMP (ping) connection.
  notify:
    - persist iptables

@ -53,7 +50,6 @@
    chain: INPUT
    protocol: ipv6-icmp
    jump: ACCEPT
-    comment: Accept ICMPv6 (ping) connection.
  notify:
    - persist iptables

@ -64,7 +60,6 @@
    protocol: tcp
    destination_port: "{{ item }}"
    jump: ACCEPT
-    comment: Accept new connections on port "{{ item }}".
  loop: "{{ tcp_authorized_ports }}"
  when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
  notify:
@ -77,7 +72,6 @@
    protocol: tcp
    destination_port: "{{ item }}"
    jump: ACCEPT
-    comment: Accept new connections on port "{{ item }}".
  loop: "{{ tcp_authorized_ports }}"
  when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
  notify:
@ -90,7 +84,6 @@
    protocol: udp
    destination_port: "{{ item }}"
    jump: ACCEPT
-    comment: Accept new connections on port "{{ item }}".
  loop: "{{ udp_authorized_ports }}"
  when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
  notify:
@ -103,7 +96,6 @@
    protocol: udp
    destination_port: "{{ item }}"
    jump: ACCEPT
-    comment: Accept new connections on port "{{ item }}".
  loop: "{{ udp_authorized_ports }}"
  when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
  notify:
@ -115,7 +107,6 @@
    chain: INPUT
    source: "{{ item }}"
    jump: ACCEPT
-    comment: Accept new connections from IP "{{ item }}".
  loop: "{{ ip_authorized }}"
  when: ip_authorized is defined and (ip_authorized|length>0)
  notify:
@ -127,7 +118,6 @@
    chain: INPUT
    source: "{{ item }}"
    jump: ACCEPT
-    comment: Accept new connections from IP "{{ item }}".
  loop: "{{ ip_authorized }}"
  when: ip_authorized is defined and (ip_authorized|length>0)
  notify: