From 58105ecdb7ec0f6330aebb1c0212542a3f7afc1d Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Tue, 9 Feb 2021 15:59:15 +0530 Subject: [PATCH] Fixes #5776 adds iptables-persistent dependency on Focal On Ubuntu Focal, we can use iptables-persistent package, and also uses updated rules filepath based on distribution version. --- .../ansible-base/roles/app/handlers/main.yml | 9 ++++++++- .../restrict-direct-access/files/load_iptables | 4 ++++ .../restrict-direct-access/tasks/iptables.yml | 18 ++++++++++++++++-- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/install_files/ansible-base/roles/app/handlers/main.yml b/install_files/ansible-base/roles/app/handlers/main.yml index d795106e22..aadc67ab01 100644 --- a/install_files/ansible-base/roles/app/handlers/main.yml +++ b/install_files/ansible-base/roles/app/handlers/main.yml @@ -5,8 +5,15 @@ name: tor state: restarted -- name: reload iptables rules +- name: reload iptables rules for xenial shell: iptables-restore < /etc/network/iptables/rules_v4 + when: + - ansible_distribution_release == 'xenial' + +- name: reload iptables rules for focal + shell: iptables-restore < /etc/iptables/rules.v4 + when: + - ansible_distribution_release == 'focal' ## App/securedrop section - name: restart apache2 diff --git a/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables b/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables index 1fcd2047fc..48c8e1e23b 100644 --- a/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables +++ b/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables @@ -2,6 +2,8 @@ # Description: apply the securedrop iptable rules if [ -f /etc/network/iptables/rules_v4 ]; then iptables-restore < /etc/network/iptables/rules_v4 +elif [ -f /etc/iptables/rules.v4 ]; then + iptables-restore < /etc/iptables/rules.v4 else echo "Iptables rules file does not exist" exit 1 @@ -9,6 +11,8 @@ fi if [ -f /etc/network/iptables/rules_v6 ]; then ip6tables-restore < /etc/network/iptables/rules_v6 +elif [ -f /etc/iptables/rules.v6 ]; then + ip6tables-restore < /etc/iptables/rules.v6 else echo "Ip6tables rules file does not exist" exit 1 diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml index 11c2fefbcd..bffb5348b5 100644 --- a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml +++ b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml @@ -21,6 +21,18 @@ delegate_to: localhost delegate_facts: True +- name: Install iptables-persistent package + apt: + pkg: iptables-persistent + state: latest + update_cache: yes + cache_valid_time: 3600 + when: + - ansible_distribution_release == 'focal' + tags: + - apt + - iptables + - name: Copy load_iptables if-up script. copy: src: load_iptables @@ -35,6 +47,8 @@ owner: root group: root dest: /etc/network/iptables + when: + - ansible_distribution_release == 'xenial' - name: Determine local platform specific routing info set_fact: @@ -59,7 +73,7 @@ - name: Copy IPv4 iptables rules. template: src: rules_v4 - dest: /etc/network/iptables/rules_v4 + dest: "{{ '/etc/iptables/rules.v4' if ansible_distribution_release == 'focal' else '/etc/network/iptables/rules_v4' }}" owner: root mode: "0644" notify: drop flag for reboot @@ -67,6 +81,6 @@ - name: Copy IPv6 iptables rules. copy: src: iptables_rules_v6 - dest: /etc/network/iptables/rules_v6 + dest: "{{ '/etc/iptables/rules.v6' if ansible_distribution_release == 'focal' else '/etc/network/iptables/rules_v6' }}" owner: root mode: "0644"