--- - name: Check if minifirewall is running shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running - debug: var: minifirewall_is_running verbosity: 1 - name: Begin marker for IP addresses lineinfile: dest: /etc/default/minifirewall create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' - name: End marker for IP addresses lineinfile: dest: /etc/default/minifirewall create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' - fail: msg: You must provide at least 1 trusted IP when: minifirewall_trusted_ips == [] - debug: msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!" when: minifirewall_trusted_ips == ["0.0.0.0/0"] - name: Configure IP addresses blockinfile: dest: /etc/default/minifirewall create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" content: | # Main interface INT='{{ minifirewall_int }}' # IPv6 IPV6='{{ minifirewall_ipv6 }}' # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='{{ minifirewall_intlan }}' # Trusted IPv4 addresses for private and semi-public services TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}' # Privilegied IPv4 addresses for semi-public services # (no need to add again TRUSTEDIPS) PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' register: minifirewall_config_ips - name: Begin marker for ports lineinfile: dest: /etc/default/minifirewall create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' - name: End marker for ports lineinfile: dest: /etc/default/minifirewall create: no line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' - name: Configure ports blockinfile: dest: /etc/default/minifirewall create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" content: | # Protected services # (add also in Public services if needed) SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}' SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}' # Public services (IPv4/IPv6) SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}' SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}' # Semi-public services (IPv4) SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}' SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}' # Private services (IPv4) SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}' SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' register: minifirewall_config_ports - name: evomaintenance lineinfile: dest: /etc/default/minifirewall line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" with_items: "{{ evomaintenance_hosts }}" - name: remove minifirewall example rule for the evomaintenance lineinfile: dest: /etc/default/minifirewall regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent when: evomaintenance_hosts != [] - name: restart minifirewall # service: # name: minifirewall # state: restarted command: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" when: minifirewall_is_running.rc == 0 and (minifirewall_config_ips | changed or minifirewall_config_ports | changed) - debug: var: minifirewall_init_restart verbosity: 2