Adapt client_iptables role to support Gentoo

group_vars/os_gentoo.yml

@@ -15,6 +15,10 @@ sudo_group: wheel
 # Command to run to execute a Gentoo update
 cron_upgrade_job: emerge --sync --quiet && emerge --quiet-build -uvDN @world && emerge --quiet-build @preserved-rebuild && emerge --depclean && eselect news read
 
+# Define iptables save files for Gentoo
+iptables_save_file: /var/lib/iptables/rules-save
+ip6tables_save_file: /var/lib/ip6tables/rules-save
+
 # Tools to install on Gentoo hosts
 tools_package:
   - bind-tools

playbook_general_deploy.yml

@@ -1,10 +1,10 @@
 ---
 - hosts: all
   roles:
-    - auto_reboot
-    - auto_upgrade
+#    - auto_reboot
+#    - auto_upgrade
+#    - client_ntp
+#    - client_resolvers
+#    - client_tools
+#    - users_sudo
     - client_iptables # OK for Debian (iptables-persistent mode)
-    - client_ntp
-    - client_resolvers
-    - client_tools
-    - users_sudo

roles/client_iptables/README.md

@@ -27,6 +27,10 @@ All variables and default values are defined in `defaults/main.yml` :
     
     # Set to false to avoid iptables configure with this role
     configure_iptables: true
+    
+    # Iptables save files (Ipv4 and IPv6)
+    iptables_save_file: /etc/iptables/rules.v4
+    ip6tables_save_file: /etc/iptables/rules.v6
 
 Dependencies
 ------------

roles/client_iptables/defaults/main.yml

@@ -13,3 +13,7 @@ ip_authorized: []
 
 # Set to false to avoid iptables configure with this role
 configure_iptables: true
+
+# Iptables save files (Ipv4 and IPv6)
+iptables_save_file: /etc/iptables/rules.v4
+ip6tables_save_file: /etc/iptables/rules.v6

roles/client_iptables/handlers/main.yml

@@ -1,8 +1,8 @@
 ---
 - name: save iptables v4 rules
-  shell: iptables-save > /etc/iptables/rules.v4
+  shell: iptables-save > {{ iptables_save_file }}
   listen: persist iptables
 
 - name: save iptables v6 rules
-  shell: ip6tables-save > /etc/iptables/rules.v6
+  shell: ip6tables-save > {{ ip6tables_save_file }}
   listen: persist iptables

roles/client_iptables/tasks/iptables.yml

@@ -23,7 +23,6 @@
     chain: INPUT
     in_interface: lo
     jump: ACCEPT
-    comment: Accept localhost connection.
   notify:
     - persist iptables
 
@@ -33,7 +32,6 @@
     chain: INPUT
     in_interface: lo
     jump: ACCEPT
-    comment: Accept localhost connection.
   notify:
     - persist iptables
 
@@ -43,7 +41,6 @@
     chain: INPUT
     protocol: icmp
     jump: ACCEPT
-    comment: Accept ICMP (ping) connection.
   notify:
     - persist iptables
 
@@ -53,7 +50,6 @@
     chain: INPUT
     protocol: ipv6-icmp
     jump: ACCEPT
-    comment: Accept ICMPv6 (ping) connection.
   notify:
     - persist iptables
 
@@ -64,7 +60,6 @@
     protocol: tcp
     destination_port: "{{ item }}"
     jump: ACCEPT
-    comment: Accept new connections on port "{{ item }}".
   loop: "{{ tcp_authorized_ports }}"
   when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
   notify:
@@ -77,7 +72,6 @@
     protocol: tcp
     destination_port: "{{ item }}"
     jump: ACCEPT
-    comment: Accept new connections on port "{{ item }}".
   loop: "{{ tcp_authorized_ports }}"
   when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
   notify:
@@ -90,7 +84,6 @@
     protocol: udp
     destination_port: "{{ item }}"
     jump: ACCEPT
-    comment: Accept new connections on port "{{ item }}".
   loop: "{{ udp_authorized_ports }}"
   when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
   notify:
@@ -103,7 +96,6 @@
     protocol: udp
     destination_port: "{{ item }}"
     jump: ACCEPT
-    comment: Accept new connections on port "{{ item }}".
   loop: "{{ udp_authorized_ports }}"
   when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
   notify:
@@ -115,7 +107,6 @@
     chain: INPUT
     source: "{{ item }}"
     jump: ACCEPT
-    comment: Accept new connections from IP "{{ item }}".
   loop: "{{ ip_authorized }}"
   when: ip_authorized is defined and (ip_authorized|length>0)
   notify:
@@ -127,7 +118,6 @@
     chain: INPUT
     source: "{{ item }}"
     jump: ACCEPT
-    comment: Accept new connections from IP "{{ item }}".
   loop: "{{ ip_authorized }}"
   when: ip_authorized is defined and (ip_authorized|length>0)
   notify: