Stop the iptables service when disabled.

2023-10-02 19:49:40 +02:00 · 2023-10-02 19:49:40 +02:00 · 9521affbdb
parent 3dad37d0ea
commit 9521affbdb
6 changed files with 48 additions and 19 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,7 +1,7 @@
 ---
 - name: Start the iptables service
  service: name=iptables-persistent state=restarted enabled=yes
-  notify: Restart fail2ban
+  notify: Restart fail2ban after an iptables restart

 - name: Start the netfilter service
  service: name=netfilter-persistent state=restarted enabled=yes
@ -30,4 +30,3 @@
  when:
    - fail2ban_enabled is defined and fail2ban_enabled
    - centos_install_epel
-
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,25 +1,23 @@
 galaxy_info:
  author: Andrea Dell'Amico
-  description: Systems Architect
+  description: Linux firewall rules (netfilter-persistent or firewalld)
  company: ISTI-CNR
-
-  issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
-
+  namespace: adellam
+  role_name: linux_firewall
  license: EUPL 1.2+
-
-  min_ansible_version: 2.8
-
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
+  min_ansible_version: "2.9"
  platforms:
    - name: Ubuntu
      versions:
        - trusty
        - bionic
+        - focal
+        - jammy
    - name: EL
      versions:
-        - 7
+        - "7"
+        - "8"
+        - "9"

  galaxy_tags:
    - firewall
--- a/tasks/disable-plain-iptables.yml
+++ b/tasks/disable-plain-iptables.yml
@ -0,0 +1,14 @@
+---
+- name: disable-plain-iptables | Stop the iptables firewall
+  tags: ['iptables', 'iptables_rules']
+  block:
+    - name: disable-plain-iptables | Flush the iptables rules
+      ansible.builtin.command: /usr/sbin/netfilter-persistent flush
+      ignore_errors: true
+
+    - name: disable-plain-iptables | Stop and disable the netfilter service
+      ansible.builtin.service:
+        name: netfilter-persistent
+        state: stopped
+        enabled: false
+      notify: Restart fail2ban
--- a/tasks/iptables-packages.yml
+++ b/tasks/iptables-packages.yml
@ -0,0 +1,8 @@
+---
+- name: iptables-packages | Manage the iptables packages
+  block:
+    - name: iptables-packages | Install the needed iptables packages
+      ansible.builtin.apt:
+        pkg: "{{ iptables_deb_pkgs }}"
+        state: present
+        cache_valid_time: 1800
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,9 +1,22 @@
 ---
- import_tasks: plain-iptables.yml
+- name: Iptables packages
+  ansible.builtin.import_tasks: iptables-packages.yml
+  when:
+    - ansible_distribution_file_variety == "Debian"
+- name: Plain iptables
+  ansible.builtin.import_tasks: plain-iptables.yml
  when:
    - iptables_persistent_enabled
    - ansible_distribution_file_variety == "Debian"
- import_tasks: firewalld_rules.yml
+- name: Disable iptables
+  ansible.builtin.import_tasks: disable-plain-iptables.yml
+  when:
+    - not iptables_persistent_enabled
+    - ansible_distribution_file_variety == "Debian"
+    - ansible_distribution_version is version_compare('16.04', '>=')
+- name: Firewalld rules
+  ansible.builtin.import_tasks: firewalld_rules.yml
  when: ansible_distribution_file_variety == "RedHat"
- import_tasks: firewalld_disable.yml
+- name: Disable firewalld
+  ansible.builtin.import_tasks: firewalld_disable.yml
  when: ansible_distribution_file_variety == "RedHat"
--- a/tasks/plain-iptables.yml
+++ b/tasks/plain-iptables.yml
@ -1,8 +1,5 @@
 ---
 - block:
-  - name: Install the needed iptables packages
-    apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
-
  - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
    template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
    with_items: