Persist iptables rules

We configured iptables rules but did not persist them.
This meant that rules would be flushed when restarting iptables or
the instance.

Change-Id: I9d90f55323a33d6a0f0dda1f7ab25d10984fa6cb
This commit is contained in:
David Moreau-Simard 2017-10-21 11:31:51 -04:00
parent efd90dd2f9
commit 0bb84bc58e
No known key found for this signature in database
GPG Key ID: 33A07694CBB71ECC
9 changed files with 141 additions and 3 deletions

View File

@ -14,3 +14,7 @@
PATH: "{{ ansible_env.PATH }}:/sbin:/usr/sbin" PATH: "{{ ansible_env.PATH }}:/sbin:/usr/sbin"
when: inventory_hostname in groups['peers'] when: inventory_hostname in groups['peers']
static: no static: no
- name: Persist iptables rules
include_role:
name: persistent-firewall

View File

@ -37,6 +37,7 @@
source: "{{ item }}" source: "{{ item }}"
jump: ACCEPT jump: ACCEPT
with_items: "{{ ipv6_addresses }}" with_items: "{{ ipv6_addresses }}"
when:
- ipv6_addresses is defined - name: Persist iptables rules
- ipv6_addresses include_role:
name: persistent-firewall

View File

@ -0,0 +1,4 @@
Saves current iptables rules for both ipv4 and ipv6 and makes them persistent
so that they are available if iptables or the instance is restarted.
This role can be re-used more than once in order to persist new rules.

View File

@ -0,0 +1,22 @@
- name: List current ipv4 rules
become: yes
command: iptables-save
changed_when: false
failed_when: false
register: iptables_rules
- name: List current ipv6 rules
become: yes
command: ip6tables-save
changed_when: false
failed_when: false
register: ip6tables_rules
- name: Configure persistent iptables rules
include: "{{ item }}"
static: no
with_first_found:
- "persist/{{ ansible_distribution }}_{{ ansible_distribution_release }}.yaml"
- "persist/{{ ansible_distribution }}.yaml"
- "persist/{{ ansible_os_family }}.yaml"
- "persist/default.yaml"

View File

@ -0,0 +1,24 @@
- name: Install iptables-persistent
become: yes
package:
name: iptables-persistent
state: installed
- name: Persist ipv4 rules
become: yes
copy:
content: "{{ iptables_rules.stdout }}"
dest: "/etc/iptables/rules.v4"
- name: Persist ipv6 rules
become: yes
copy:
content: "{{ ip6tables_rules.stdout }}"
dest: "/etc/iptables/rules.v6"
- name: Ensure netfilter-persistent is started
become: yes
service:
name: netfilter-persistent
state: started
enabled: yes

View File

@ -0,0 +1,18 @@
- name: Persist ipv4 rules
become: yes
copy:
content: "{{ iptables_rules.stdout }}"
dest: "/etc/sysconfig/iptables"
- name: Persist ipv6 rules
become: yes
copy:
content: "{{ ip6tables_rules.stdout }}"
dest: "/etc/sysconfig/ip6tables"
- name: Ensure iptables is started
become: yes
service:
name: iptables
state: started
enabled: yes

View File

@ -0,0 +1,36 @@
- name: Persist ipv4 rules
become: yes
copy:
content: "{{ iptables_rules.stdout }}"
dest: "/etc/sysconfig/iptables"
- name: Persist ipv6 rules
become: yes
copy:
content: "{{ ip6tables_rules.stdout }}"
dest: "/etc/sysconfig/ip6tables"
- name: Set up SuSEfirewall2 custom rules to be loaded
become: yes
replace:
path: /etc/sysconfig/SuSEfirewall2
regexp: '^FW_CUSTOMRULES=.*$'
replace: 'FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"'
- name: Configure SuSEfirewall2 to restore saved rules on restart
become: yes
blockinfile:
path: /etc/sysconfig/scripts/SuSEfirewall2-custom
insertafter: EOF
content: |
fw_custom_after_finished() {
/usr/sbin/iptables-restore /etc/sysconfig/iptables
/usr/sbin/ip6tables-restore /etc/sysconfig/ip6tables
}
- name: Ensure SuSEfirewall2 is started
become: yes
service:
name: SuSEfirewall2
state: started
enabled: yes

View File

@ -0,0 +1,24 @@
- name: Install iptables-persistent
become: yes
package:
name: iptables-persistent
state: installed
- name: Persist ipv4 rules
become: yes
copy:
content: "{{ iptables_rules.stdout }}"
dest: "/etc/iptables/rules.v4"
- name: Persist ipv6 rules
become: yes
copy:
content: "{{ ip6tables_rules.stdout }}"
dest: "/etc/iptables/rules.v6"
- name: Ensure iptables-persistent is started
become: yes
service:
name: iptables-persistent
state: started
enabled: yes

View File

@ -0,0 +1,5 @@
- name: Warn about unsupported distribution
debug:
msg: >
WARNING: {{ ansible_distribution }} is not supported by this role yet.
The execution of the job will continue without persisting iptables rules.