Stop the iptables service when disabled.

This commit is contained in:
Andrea Dell'Amico 2023-10-02 19:49:40 +02:00
parent 3dad37d0ea
commit 9521affbdb
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
6 changed files with 48 additions and 19 deletions

View File

@ -1,7 +1,7 @@
---
- name: Start the iptables service
service: name=iptables-persistent state=restarted enabled=yes
notify: Restart fail2ban
notify: Restart fail2ban after an iptables restart
- name: Start the netfilter service
service: name=netfilter-persistent state=restarted enabled=yes
@ -30,4 +30,3 @@
when:
- fail2ban_enabled is defined and fail2ban_enabled
- centos_install_epel

View File

@ -1,25 +1,23 @@
galaxy_info:
author: Andrea Dell'Amico
description: Systems Architect
description: Linux firewall rules (netfilter-persistent or firewalld)
company: ISTI-CNR
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
namespace: adellam
role_name: linux_firewall
license: EUPL 1.2+
min_ansible_version: 2.8
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
min_ansible_version: "2.9"
platforms:
- name: Ubuntu
versions:
- trusty
- bionic
- focal
- jammy
- name: EL
versions:
- 7
- "7"
- "8"
- "9"
galaxy_tags:
- firewall

View File

@ -0,0 +1,14 @@
---
- name: disable-plain-iptables | Stop the iptables firewall
tags: ['iptables', 'iptables_rules']
block:
- name: disable-plain-iptables | Flush the iptables rules
ansible.builtin.command: /usr/sbin/netfilter-persistent flush
ignore_errors: true
- name: disable-plain-iptables | Stop and disable the netfilter service
ansible.builtin.service:
name: netfilter-persistent
state: stopped
enabled: false
notify: Restart fail2ban

View File

@ -0,0 +1,8 @@
---
- name: iptables-packages | Manage the iptables packages
block:
- name: iptables-packages | Install the needed iptables packages
ansible.builtin.apt:
pkg: "{{ iptables_deb_pkgs }}"
state: present
cache_valid_time: 1800

View File

@ -1,9 +1,22 @@
---
- import_tasks: plain-iptables.yml
- name: Iptables packages
ansible.builtin.import_tasks: iptables-packages.yml
when:
- ansible_distribution_file_variety == "Debian"
- name: Plain iptables
ansible.builtin.import_tasks: plain-iptables.yml
when:
- iptables_persistent_enabled
- ansible_distribution_file_variety == "Debian"
- import_tasks: firewalld_rules.yml
- name: Disable iptables
ansible.builtin.import_tasks: disable-plain-iptables.yml
when:
- not iptables_persistent_enabled
- ansible_distribution_file_variety == "Debian"
- ansible_distribution_version is version_compare('16.04', '>=')
- name: Firewalld rules
ansible.builtin.import_tasks: firewalld_rules.yml
when: ansible_distribution_file_variety == "RedHat"
- import_tasks: firewalld_disable.yml
- name: Disable firewalld
ansible.builtin.import_tasks: firewalld_disable.yml
when: ansible_distribution_file_variety == "RedHat"

View File

@ -1,8 +1,5 @@
---
- block:
- name: Install the needed iptables packages
apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items: