forked from evolix/ansible-roles
Jérémy Lecour
97b0225232
Each role has to know how to deal with the other. Otherwise, depending on order of execution, the firewall might not allow connections for evomaintenance
124 lines
4 KiB
YAML
124 lines
4 KiB
YAML
---
|
|
|
|
- name: Check if minifirewall is running
|
|
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: minifirewall_is_running
|
|
|
|
- debug:
|
|
var: minifirewall_is_running
|
|
verbosity: 1
|
|
|
|
- name: Begin marker for IP addresses
|
|
lineinfile:
|
|
dest: /etc/default/minifirewall
|
|
create: no
|
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
|
insertbefore: '^# Main interface'
|
|
|
|
- name: End marker for IP addresses
|
|
lineinfile:
|
|
dest: /etc/default/minifirewall
|
|
create: no
|
|
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
|
insertafter: '^PRIVILEGIEDIPS='
|
|
|
|
- fail:
|
|
msg: You must provide at least 1 trusted IP
|
|
when: minifirewall_trusted_ips == []
|
|
- debug:
|
|
msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
|
|
when: minifirewall_trusted_ips == ["0.0.0.0/0"]
|
|
|
|
- name: Configure IP addresses
|
|
blockinfile:
|
|
dest: /etc/default/minifirewall
|
|
create: no
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
|
content: |
|
|
# Main interface
|
|
INT='{{ minifirewall_int }}'
|
|
|
|
# IPv6
|
|
IPV6='{{ minifirewall_ipv6 }}'
|
|
|
|
# Trusted IPv4 local network
|
|
# ...will be often IP/32 if you don't trust anything
|
|
INTLAN='{{ minifirewall_intlan }}'
|
|
|
|
# Trusted IPv4 addresses for private and semi-public services
|
|
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
|
|
|
|
# Privilegied IPv4 addresses for semi-public services
|
|
# (no need to add again TRUSTEDIPS)
|
|
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
|
register: minifirewall_config_ips
|
|
|
|
- name: Begin marker for ports
|
|
lineinfile:
|
|
dest: /etc/default/minifirewall
|
|
create: no
|
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
insertbefore: '^# Protected services'
|
|
|
|
- name: End marker for ports
|
|
lineinfile:
|
|
dest: /etc/default/minifirewall
|
|
create: no
|
|
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
insertafter: '^SERVICESUDP3='
|
|
|
|
- name: Configure ports
|
|
blockinfile:
|
|
dest: /etc/default/minifirewall
|
|
create: no
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
content: |
|
|
# Protected services
|
|
# (add also in Public services if needed)
|
|
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
|
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
|
|
|
|
# Public services (IPv4/IPv6)
|
|
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
|
|
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
|
|
|
|
# Semi-public services (IPv4)
|
|
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
|
|
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
|
|
|
|
# Private services (IPv4)
|
|
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
|
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
|
register: minifirewall_config_ports
|
|
|
|
- name: evomaintenance
|
|
lineinfile:
|
|
dest: /etc/default/minifirewall
|
|
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
insertafter: "^# EvoMaintenance"
|
|
with_items: "{{ evomaintenance_hosts }}"
|
|
|
|
- name: remove minifirewall example rule for the evomaintenance
|
|
lineinfile:
|
|
dest: /etc/default/minifirewall
|
|
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
|
|
state: absent
|
|
when: evomaintenance_hosts != []
|
|
|
|
- name: restart minifirewall
|
|
# service:
|
|
# name: minifirewall
|
|
# state: restarted
|
|
command: /etc/init.d/minifirewall restart
|
|
register: minifirewall_init_restart
|
|
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
|
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
|
when: minifirewall_is_running.rc == 0 and (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
|
|
|
|
- debug:
|
|
var: minifirewall_init_restart
|
|
verbosity: 2
|