Persist iptables rules
We configured iptables rules but did not persist them. This meant that rules would be flushed when restarting iptables or the instance. Change-Id: I9d90f55323a33d6a0f0dda1f7ab25d10984fa6cb
This commit is contained in:
parent
efd90dd2f9
commit
0bb84bc58e
@ -14,3 +14,7 @@
|
|||||||
PATH: "{{ ansible_env.PATH }}:/sbin:/usr/sbin"
|
PATH: "{{ ansible_env.PATH }}:/sbin:/usr/sbin"
|
||||||
when: inventory_hostname in groups['peers']
|
when: inventory_hostname in groups['peers']
|
||||||
static: no
|
static: no
|
||||||
|
|
||||||
|
- name: Persist iptables rules
|
||||||
|
include_role:
|
||||||
|
name: persistent-firewall
|
||||||
|
@ -37,6 +37,7 @@
|
|||||||
source: "{{ item }}"
|
source: "{{ item }}"
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
with_items: "{{ ipv6_addresses }}"
|
with_items: "{{ ipv6_addresses }}"
|
||||||
when:
|
|
||||||
- ipv6_addresses is defined
|
- name: Persist iptables rules
|
||||||
- ipv6_addresses
|
include_role:
|
||||||
|
name: persistent-firewall
|
||||||
|
4
roles/persistent-firewall/README.rst
Normal file
4
roles/persistent-firewall/README.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
Saves current iptables rules for both ipv4 and ipv6 and makes them persistent
|
||||||
|
so that they are available if iptables or the instance is restarted.
|
||||||
|
|
||||||
|
This role can be re-used more than once in order to persist new rules.
|
22
roles/persistent-firewall/tasks/main.yaml
Normal file
22
roles/persistent-firewall/tasks/main.yaml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
- name: List current ipv4 rules
|
||||||
|
become: yes
|
||||||
|
command: iptables-save
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
register: iptables_rules
|
||||||
|
|
||||||
|
- name: List current ipv6 rules
|
||||||
|
become: yes
|
||||||
|
command: ip6tables-save
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
register: ip6tables_rules
|
||||||
|
|
||||||
|
- name: Configure persistent iptables rules
|
||||||
|
include: "{{ item }}"
|
||||||
|
static: no
|
||||||
|
with_first_found:
|
||||||
|
- "persist/{{ ansible_distribution }}_{{ ansible_distribution_release }}.yaml"
|
||||||
|
- "persist/{{ ansible_distribution }}.yaml"
|
||||||
|
- "persist/{{ ansible_os_family }}.yaml"
|
||||||
|
- "persist/default.yaml"
|
24
roles/persistent-firewall/tasks/persist/Debian.yaml
Normal file
24
roles/persistent-firewall/tasks/persist/Debian.yaml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
- name: Install iptables-persistent
|
||||||
|
become: yes
|
||||||
|
package:
|
||||||
|
name: iptables-persistent
|
||||||
|
state: installed
|
||||||
|
|
||||||
|
- name: Persist ipv4 rules
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ iptables_rules.stdout }}"
|
||||||
|
dest: "/etc/iptables/rules.v4"
|
||||||
|
|
||||||
|
- name: Persist ipv6 rules
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ ip6tables_rules.stdout }}"
|
||||||
|
dest: "/etc/iptables/rules.v6"
|
||||||
|
|
||||||
|
- name: Ensure netfilter-persistent is started
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: netfilter-persistent
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
18
roles/persistent-firewall/tasks/persist/RedHat.yaml
Normal file
18
roles/persistent-firewall/tasks/persist/RedHat.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
- name: Persist ipv4 rules
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ iptables_rules.stdout }}"
|
||||||
|
dest: "/etc/sysconfig/iptables"
|
||||||
|
|
||||||
|
- name: Persist ipv6 rules
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ ip6tables_rules.stdout }}"
|
||||||
|
dest: "/etc/sysconfig/ip6tables"
|
||||||
|
|
||||||
|
- name: Ensure iptables is started
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: iptables
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
36
roles/persistent-firewall/tasks/persist/Suse.yaml
Normal file
36
roles/persistent-firewall/tasks/persist/Suse.yaml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
- name: Persist ipv4 rules
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ iptables_rules.stdout }}"
|
||||||
|
dest: "/etc/sysconfig/iptables"
|
||||||
|
|
||||||
|
- name: Persist ipv6 rules
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ ip6tables_rules.stdout }}"
|
||||||
|
dest: "/etc/sysconfig/ip6tables"
|
||||||
|
|
||||||
|
- name: Set up SuSEfirewall2 custom rules to be loaded
|
||||||
|
become: yes
|
||||||
|
replace:
|
||||||
|
path: /etc/sysconfig/SuSEfirewall2
|
||||||
|
regexp: '^FW_CUSTOMRULES=.*$'
|
||||||
|
replace: 'FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"'
|
||||||
|
|
||||||
|
- name: Configure SuSEfirewall2 to restore saved rules on restart
|
||||||
|
become: yes
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/sysconfig/scripts/SuSEfirewall2-custom
|
||||||
|
insertafter: EOF
|
||||||
|
content: |
|
||||||
|
fw_custom_after_finished() {
|
||||||
|
/usr/sbin/iptables-restore /etc/sysconfig/iptables
|
||||||
|
/usr/sbin/ip6tables-restore /etc/sysconfig/ip6tables
|
||||||
|
}
|
||||||
|
|
||||||
|
- name: Ensure SuSEfirewall2 is started
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: SuSEfirewall2
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
24
roles/persistent-firewall/tasks/persist/Ubuntu_trusty.yaml
Normal file
24
roles/persistent-firewall/tasks/persist/Ubuntu_trusty.yaml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
- name: Install iptables-persistent
|
||||||
|
become: yes
|
||||||
|
package:
|
||||||
|
name: iptables-persistent
|
||||||
|
state: installed
|
||||||
|
|
||||||
|
- name: Persist ipv4 rules
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ iptables_rules.stdout }}"
|
||||||
|
dest: "/etc/iptables/rules.v4"
|
||||||
|
|
||||||
|
- name: Persist ipv6 rules
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ ip6tables_rules.stdout }}"
|
||||||
|
dest: "/etc/iptables/rules.v6"
|
||||||
|
|
||||||
|
- name: Ensure iptables-persistent is started
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: iptables-persistent
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
5
roles/persistent-firewall/tasks/persist/default.yaml
Normal file
5
roles/persistent-firewall/tasks/persist/default.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
- name: Warn about unsupported distribution
|
||||||
|
debug:
|
||||||
|
msg: >
|
||||||
|
WARNING: {{ ansible_distribution }} is not supported by this role yet.
|
||||||
|
The execution of the job will continue without persisting iptables rules.
|
Loading…
Reference in New Issue
Block a user