From c43ccc38987161f1e1028f94c4432ddec22a9e4e Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Fri, 14 Oct 2016 18:50:24 +0300 Subject: [PATCH] iptables moved to the vpn role #61 --- roles/security/handlers/main.yml | 3 --- roles/security/tasks/main.yml | 8 -------- roles/vpn/handlers/main.yml | 6 +++--- roles/vpn/tasks/iptables.yml | 9 +++++++++ roles/vpn/tasks/main.yml | 4 ++++ roles/{security => vpn}/templates/rules.v4.j2 | 0 roles/{security => vpn}/templates/rules.v6.j2 | 0 7 files changed, 16 insertions(+), 14 deletions(-) create mode 100644 roles/vpn/tasks/iptables.yml rename roles/{security => vpn}/templates/rules.v4.j2 (100%) rename roles/{security => vpn}/templates/rules.v6.j2 (100%) diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml index e79c49c..e6d614b 100644 --- a/roles/security/handlers/main.yml +++ b/roles/security/handlers/main.yml @@ -1,8 +1,5 @@ - name: restart ssh service: name=ssh state=restarted -- name: restart iptables - service: name=netfilter-persistent state=restarted - - name: flush routing cache shell: echo 1 > /proc/sys/net/ipv4/route/flush diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index f951616..aed7576 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -88,14 +88,6 @@ - name: Do not send ICMP redirects (we are not a router) sysctl: name=net.ipv4.conf.all.send_redirects value=0 -- name: Iptables configured - template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 - with_items: - - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } - - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } - notify: - - restart iptables - - name: SSH config template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 notify: diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 4ba5173..84e08b0 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -6,13 +6,13 @@ - name: restart apparmor service: name=apparmor state=restarted - -- name: save iptables - shell: service netfilter-persistent save - name: save iptables shell: service netfilter-persistent save +- name: restart iptables + service: name=netfilter-persistent state=restarted + - name: congrats debug: msg: diff --git a/roles/vpn/tasks/iptables.yml b/roles/vpn/tasks/iptables.yml new file mode 100644 index 0000000..aeed994 --- /dev/null +++ b/roles/vpn/tasks/iptables.yml @@ -0,0 +1,9 @@ +--- + +- name: Iptables configured + template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 + with_items: + - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } + - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } + notify: + - restart iptables diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 690a44a..1009911 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -191,3 +191,7 @@ fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes notify: - congrats + +- include: iptables.yml + tags: iptables + diff --git a/roles/security/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2 similarity index 100% rename from roles/security/templates/rules.v4.j2 rename to roles/vpn/templates/rules.v4.j2 diff --git a/roles/security/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2 similarity index 100% rename from roles/security/templates/rules.v6.j2 rename to roles/vpn/templates/rules.v6.j2