Stop the iptables service when disabled.

handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Start the iptables service
   service: name=iptables-persistent state=restarted enabled=yes
-  notify: Restart fail2ban
+  notify: Restart fail2ban after an iptables restart
 
 - name: Start the netfilter service
   service: name=netfilter-persistent state=restarted enabled=yes
@@ -30,4 +30,3 @@
   when:
     - fail2ban_enabled is defined and fail2ban_enabled
     - centos_install_epel
-

meta/main.yml

@@ -1,25 +1,23 @@
 galaxy_info:
   author: Andrea Dell'Amico
-  description: Systems Architect
+  description: Linux firewall rules (netfilter-persistent or firewalld)
   company: ISTI-CNR
-
+  namespace: adellam
-  issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
+  role_name: linux_firewall
-
   license: EUPL 1.2+
-
+  min_ansible_version: "2.9"
-  min_ansible_version: 2.8
-
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
   platforms:
     - name: Ubuntu
       versions:
         - trusty
         - bionic
+        - focal
+        - jammy
     - name: EL
       versions:
-        - 7
+        - "7"
+        - "8"
+        - "9"
 
   galaxy_tags:
     - firewall

tasks/disable-plain-iptables.yml

@@ -0,0 +1,14 @@
+---
+- name: disable-plain-iptables | Stop the iptables firewall
+  tags: ['iptables', 'iptables_rules']
+  block:
+    - name: disable-plain-iptables | Flush the iptables rules
+      ansible.builtin.command: /usr/sbin/netfilter-persistent flush
+      ignore_errors: true
+
+    - name: disable-plain-iptables | Stop and disable the netfilter service
+      ansible.builtin.service:
+        name: netfilter-persistent
+        state: stopped
+        enabled: false
+      notify: Restart fail2ban

tasks/iptables-packages.yml

@@ -0,0 +1,8 @@
+---
+- name: iptables-packages | Manage the iptables packages
+  block:
+    - name: iptables-packages | Install the needed iptables packages
+      ansible.builtin.apt:
+        pkg: "{{ iptables_deb_pkgs }}"
+        state: present
+        cache_valid_time: 1800

tasks/main.yml

@@ -1,9 +1,22 @@
 ---
-- import_tasks: plain-iptables.yml
+- name: Iptables packages
+  ansible.builtin.import_tasks: iptables-packages.yml
+  when:
+    - ansible_distribution_file_variety == "Debian"
+- name: Plain iptables
+  ansible.builtin.import_tasks: plain-iptables.yml
   when:
     - iptables_persistent_enabled
     - ansible_distribution_file_variety == "Debian"
-- import_tasks: firewalld_rules.yml
+- name: Disable iptables
+  ansible.builtin.import_tasks: disable-plain-iptables.yml
+  when:
+    - not iptables_persistent_enabled
+    - ansible_distribution_file_variety == "Debian"
+    - ansible_distribution_version is version_compare('16.04', '>=')
+- name: Firewalld rules
+  ansible.builtin.import_tasks: firewalld_rules.yml
   when: ansible_distribution_file_variety == "RedHat"
-- import_tasks: firewalld_disable.yml
+- name: Disable firewalld
+  ansible.builtin.import_tasks: firewalld_disable.yml
   when: ansible_distribution_file_variety == "RedHat"

tasks/plain-iptables.yml

@@ -1,8 +1,5 @@
 ---
 - block:
-  - name: Install the needed iptables packages
-    apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
-
   - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
     template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
     with_items: