nemo/ansible-base
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Adapt client_iptables role to support Gentoo

Browse source
This commit is contained in:
Nemo 2020-07-11 16:46:19 +02:00
parent d4a11210ac
commit 344f64edb2
6 changed files with 20 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
group_vars/os_gentoo.yml
View file

@ -15,6 +15,10 @@ sudo_group: wheel
# Command to run to execute a Gentoo update # Command to run to execute a Gentoo update
cron_upgrade_job: emerge --sync --quiet && emerge --quiet-build -uvDN @world && emerge --quiet-build @preserved-rebuild && emerge --depclean && eselect news read cron_upgrade_job: emerge --sync --quiet && emerge --quiet-build -uvDN @world && emerge --quiet-build @preserved-rebuild && emerge --depclean && eselect news read
# Define iptables save files for Gentoo
iptables_save_file: /var/lib/iptables/rules-save
ip6tables_save_file: /var/lib/ip6tables/rules-save
# Tools to install on Gentoo hosts # Tools to install on Gentoo hosts
tools_package: tools_package:
- bind-tools - bind-tools

12
playbook_general_deploy.yml
View file

@ -1,10 +1,10 @@
--- ---
- hosts: all - hosts: all
roles: roles:
- auto_reboot # - auto_reboot
- auto_upgrade # - auto_upgrade
# - client_ntp
# - client_resolvers
# - client_tools
# - users_sudo
- client_iptables # OK for Debian (iptables-persistent mode) - client_iptables # OK for Debian (iptables-persistent mode)
- client_ntp
- client_resolvers
- client_tools
- users_sudo

4
roles/client_iptables/README.md
View file

@ -27,6 +27,10 @@ All variables and default values are defined in `defaults/main.yml` :
# Set to false to avoid iptables configure with this role # Set to false to avoid iptables configure with this role
configure_iptables: true configure_iptables: true
# Iptables save files (Ipv4 and IPv6)
iptables_save_file: /etc/iptables/rules.v4
ip6tables_save_file: /etc/iptables/rules.v6
Dependencies Dependencies
------------ ------------

4
roles/client_iptables/defaults/main.yml
View file

@ -13,3 +13,7 @@ ip_authorized: []
# Set to false to avoid iptables configure with this role # Set to false to avoid iptables configure with this role
configure_iptables: true configure_iptables: true
# Iptables save files (Ipv4 and IPv6)
iptables_save_file: /etc/iptables/rules.v4
ip6tables_save_file: /etc/iptables/rules.v6

4
roles/client_iptables/handlers/main.yml
View file

@ -1,8 +1,8 @@
--- ---
- name: save iptables v4 rules - name: save iptables v4 rules
shell: iptables-save > /etc/iptables/rules.v4 shell: iptables-save > {{ iptables_save_file }}
listen: persist iptables listen: persist iptables
- name: save iptables v6 rules - name: save iptables v6 rules
shell: ip6tables-save > /etc/iptables/rules.v6 shell: ip6tables-save > {{ ip6tables_save_file }}
listen: persist iptables listen: persist iptables

10
roles/client_iptables/tasks/iptables.yml
View file

@ -23,7 +23,6 @@
chain: INPUT chain: INPUT
in_interface: lo in_interface: lo
jump: ACCEPT jump: ACCEPT
comment: Accept localhost connection.
notify: notify:
- persist iptables - persist iptables
@ -33,7 +32,6 @@
chain: INPUT chain: INPUT
in_interface: lo in_interface: lo
jump: ACCEPT jump: ACCEPT
comment: Accept localhost connection.
notify: notify:
- persist iptables - persist iptables
@ -43,7 +41,6 @@
chain: INPUT chain: INPUT
protocol: icmp protocol: icmp
jump: ACCEPT jump: ACCEPT
comment: Accept ICMP (ping) connection.
notify: notify:
- persist iptables - persist iptables
@ -53,7 +50,6 @@
chain: INPUT chain: INPUT
protocol: ipv6-icmp protocol: ipv6-icmp
jump: ACCEPT jump: ACCEPT
comment: Accept ICMPv6 (ping) connection.
notify: notify:
- persist iptables - persist iptables
@ -64,7 +60,6 @@
protocol: tcp protocol: tcp
destination_port: "{{ item }}" destination_port: "{{ item }}"
jump: ACCEPT jump: ACCEPT
comment: Accept new connections on port "{{ item }}".
loop: "{{ tcp_authorized_ports }}" loop: "{{ tcp_authorized_ports }}"
when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0) when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
notify: notify:
@ -77,7 +72,6 @@
protocol: tcp protocol: tcp
destination_port: "{{ item }}" destination_port: "{{ item }}"
jump: ACCEPT jump: ACCEPT
comment: Accept new connections on port "{{ item }}".
loop: "{{ tcp_authorized_ports }}" loop: "{{ tcp_authorized_ports }}"
when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0) when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
notify: notify:
@ -90,7 +84,6 @@
protocol: udp protocol: udp
destination_port: "{{ item }}" destination_port: "{{ item }}"
jump: ACCEPT jump: ACCEPT
comment: Accept new connections on port "{{ item }}".
loop: "{{ udp_authorized_ports }}" loop: "{{ udp_authorized_ports }}"
when: udp_authorized_ports is defined and (udp_authorized_ports|length>0) when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
notify: notify:
@ -103,7 +96,6 @@
protocol: udp protocol: udp
destination_port: "{{ item }}" destination_port: "{{ item }}"
jump: ACCEPT jump: ACCEPT
comment: Accept new connections on port "{{ item }}".
loop: "{{ udp_authorized_ports }}" loop: "{{ udp_authorized_ports }}"
when: udp_authorized_ports is defined and (udp_authorized_ports|length>0) when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
notify: notify:
@ -115,7 +107,6 @@
chain: INPUT chain: INPUT
source: "{{ item }}" source: "{{ item }}"
jump: ACCEPT jump: ACCEPT
comment: Accept new connections from IP "{{ item }}".
loop: "{{ ip_authorized }}" loop: "{{ ip_authorized }}"
when: ip_authorized is defined and (ip_authorized|length>0) when: ip_authorized is defined and (ip_authorized|length>0)
notify: notify:
@ -127,7 +118,6 @@
chain: INPUT chain: INPUT
source: "{{ item }}" source: "{{ item }}"
jump: ACCEPT jump: ACCEPT
comment: Accept new connections from IP "{{ item }}".
loop: "{{ ip_authorized }}" loop: "{{ ip_authorized }}"
when: ip_authorized is defined and (ip_authorized|length>0) when: ip_authorized is defined and (ip_authorized|length>0)
notify: notify: