100 lines
2.4 KiB
YAML
100 lines
2.4 KiB
YAML
---
|
|
- name: gather OS specific variables
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yaml"
|
|
- "{{ ansible_distribution }}.yaml"
|
|
- "{{ ansible_os_family }}.yaml"
|
|
|
|
- name: install iptables
|
|
package:
|
|
name: "{{ firewall_iptables_package_name }}"
|
|
state: "{{ firewall_iptables_package_state }}"
|
|
|
|
- name: install iptables-persistent
|
|
package:
|
|
name: "{{ firewall_iptables_persistent_package_name }}"
|
|
state: "{{ firewall_iptables_persistent_package_state }}"
|
|
|
|
- name: manage iptables-persistent service
|
|
service:
|
|
name: "{{ firewall_iptables_persistent_service_name }}"
|
|
state: "{{ firewall_iptables_persistent_service_state }}"
|
|
enabled: "{{ firewall_iptables_persistent_service_enabled }}"
|
|
|
|
- name: install ipset
|
|
package:
|
|
name: "{{ firewall_ipset_package_name }}"
|
|
state: "{{ firewall_ipset_package_state }}"
|
|
|
|
- name: install ulogd
|
|
package:
|
|
name: "{{ firewall_ulogd_package_name }}"
|
|
state: "{{ firewall_ulogd_package_state }}"
|
|
|
|
- name: configure ulogd
|
|
template:
|
|
src: ulogd.conf.j2
|
|
dest: "{{ firewall_ulogd_config_path }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
notify: restart ulogd
|
|
|
|
- name: manage ulogd service
|
|
service:
|
|
name: "{{ firewall_ulogd_service_name }}"
|
|
state: "{{ firewall_ulogd_service_state }}"
|
|
enabled: "{{ firewall_ulogd_service_enabled }}"
|
|
|
|
- name: patch iptables-persistent service for ipset
|
|
template:
|
|
src: 14-ipset.j2
|
|
dest: "{{ firewall_iptables_persistent_plugin_path }}/14-ipset"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
|
|
- name: configure iptables clear rules
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: /etc/iptables/{{ item }}
|
|
loop:
|
|
- clear.v4
|
|
- clear.v6
|
|
|
|
- name: configure ipsets
|
|
template:
|
|
src: ipset.j2
|
|
dest: "{{ firewall_ipset }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
notify:
|
|
- reload ipset
|
|
- iptables-persistent
|
|
|
|
- name: configure IPv4 firewall
|
|
template:
|
|
src: iptables.j2
|
|
dest: "{{ firewall_iptables_rules_v4 }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
notify:
|
|
- restart firewall v4
|
|
- iptables-persistent
|
|
|
|
- name: configure IPv6 firewall
|
|
template:
|
|
src: ip6tables.j2
|
|
dest: "{{ firewall_iptables_rules_v6 }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
notify:
|
|
- restart firewall v6
|
|
- iptables-persistent
|
|
|
|
# vim:ft=yaml.ansible:
|