Update iptables roles, including iptables-persistence

playbook_general_deploy.yml

@@ -3,7 +3,7 @@
   roles:
     - auto_reboot
     - auto_upgrade
-    #- client_iptables # Role not well defined now
+    - client_iptables # OK for Debian (iptables-persistent mode)
     - client_ntp
     - client_resolvers
     - client_tools

roles/client_iptables/files/iptables

@@ -1,2 +0,0 @@
-#!/bin/sh
-/sbin/iptables-restore < /etc/iptables.up.rules

roles/client_iptables/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: save iptables v4 rules
+  shell: iptables-save > /etc/iptables/rules.v4
+  listen: persist iptables
+
+- name: save iptables v6 rules
+  shell: ip6tables-save > /etc/iptables/rules.v6
+  listen: persist iptables

roles/client_iptables/tasks/boot.yml

@@ -1,9 +0,0 @@
----
-- name: Add load rules at boot
-  copy:
-    src: iptables
-    dest: /etc/network/if-pre-up.d/iptables
-    owner: root
-    group: root
-    mode: 0755
-

roles/client_iptables/tasks/iptables.yml

@@ -1,37 +1,65 @@
 ---
-- name: Iptables installed
+- name: Allow related and established connections (IPV4)
-  package:
-    name: "iptables"
-    state: present
-
-- name: Allow related and established connections
   iptables:
+    ip_version: ipv4
     chain: INPUT
-    ctstate: ESTABLISHED,RELATED
+    ctstate: RELATED,ESTABLISHED
     jump: ACCEPT
+  notify:
+    - persist iptables
 
-- name: Allow incoming on localhost interface
+- name: Allow related and established connections (IPV6)
   iptables:
+    ip_version: ipv6
+    chain: INPUT
+    ctstate: RELATED,ESTABLISHED
+    jump: ACCEPT
+  notify:
+    - persist iptables
+
+- name: Allow incoming on localhost interface (IPV4)
+  iptables:
+    ip_version: ipv4
     chain: INPUT
     in_interface: lo
     jump: ACCEPT
+    comment: Accept localhost connection.
+  notify:
+    - persist iptables
 
-- name: Allow incoming ICMP
+- name: Allow incoming on localhost interface (IPV6)
   iptables:
+    ip_version: ipv6
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+    comment: Accept localhost connection.
+  notify:
+    - persist iptables
+
+- name: Allow incoming ICMP (IPV4)
+  iptables:
+    ip_version: ipv4
     chain: INPUT
     protocol: icmp
     jump: ACCEPT
+    comment: Accept ICMP (ping) connection.
+  notify:
+    - persist iptables
 
-- name: Allow new incoming connections on TCP port 22 (SSH).
+- name: Allow incoming ICMPv6 (IPV6)
   iptables:
+    ip_version: ipv6
     chain: INPUT
-    protocol: tcp
+    protocol: ipv6-icmp
-    destination_port: 22
     jump: ACCEPT
-    comment: Accept new connections on port "22".
+    comment: Accept ICMPv6 (ping) connection.
+  notify:
+    - persist iptables
 
-- name: Allow new incoming connections on TCP port (dynamic list).
+- name: Allow new incoming connections on TCP port (dynamic list) (IPV4)
   iptables:
+    ip_version: ipv4
     chain: INPUT
     protocol: tcp
     destination_port: "{{ item }}"
@@ -39,22 +67,74 @@
     comment: Accept new connections on port "{{ item }}".
   loop: "{{ tcp_authorized_ports }}"
   when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
+  notify:
+    - persist iptables
 
-- name: Allow new incoming connections from specific IP (dynamic list).
+- name: Allow new incoming connections on TCP port (dynamic list) (IPV6)
   iptables:
+    ip_version: ipv6
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: Accept new connections on port "{{ item }}".
+  loop: "{{ tcp_authorized_ports }}"
+  when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
+  notify:
+    - persist iptables
+
+- name: Allow new incoming connections from specific IP (dynamic list) (IPV4)
+  iptables:
+    ip_version: ipv4
     chain: INPUT
     source: "{{ item }}"
     jump: ACCEPT
     comment: Accept new connections from IP "{{ item }}".
   loop: "{{ ip_authorized }}"
   when: ip_authorized is defined and (ip_authorized|length>0)
+  notify:
+    - persist iptables
 
-- name: Set the policy for the FORWARD chain to DROP
+- name: Allow new incoming connections from specific IP (dynamic list) (IPV6)
   iptables:
+    ip_version: ipv6
+    chain: INPUT
+    source: "{{ item }}"
+    jump: ACCEPT
+    comment: Accept new connections from IP "{{ item }}".
+  loop: "{{ ip_authorized }}"
+  when: ip_authorized is defined and (ip_authorized|length>0)
+  notify:
+    - persist iptables
+
+- name: Set the policy for the FORWARD chain to DROP (IPV4)
+  iptables:
+    ip_version: ipv4
     chain: FORWARD
     policy: DROP
+  notify:
+    - persist iptables
 
-- name: Set the policy for the INPUT chain to DROP
+- name: Set the policy for the FORWARD chain to DROP (IPV6)
   iptables:
+    ip_version: ipv6
+    chain: FORWARD
+    policy: DROP
+  notify:
+    - persist iptables
+
+- name: Set the policy for the INPUT chain to DROP (IPV4)
+  iptables:
+    ip_version: ipv4
     chain: INPUT
     policy: DROP
+  notify:
+    - persist iptables
+
+- name: Set the policy for the INPUT chain to DROP (IPV6)
+  iptables:
+    ip_version: ipv6
+    chain: INPUT
+    policy: DROP
+  notify:
+    - persist iptables

roles/client_iptables/tasks/main.yml

@@ -3,5 +3,3 @@
 
 - import_tasks: package.yml
 - import_tasks: iptables.yml
-- import_tasks: save.yml
-- import_tasks: boot.yml

roles/client_iptables/tasks/package.yml

@@ -3,3 +3,11 @@
   package:
     name: "iptables"
     state: present
+
+- name: iptables-persistent installed
+  package:
+    name: "iptables-persistent"
+    state: present
+  when: ansible_os_family == "Debian"
+  notify:
+    - persist iptables

roles/client_iptables/tasks/save.yml

@@ -1,3 +0,0 @@
----
-- name: Save iptables rules
-  shell: iptables-save > /etc/iptables.up.rules