add Ubuntu 18.04 and Ubuntu 20.04 support (#2)

* initial Ubuntu 18.04 support

* fix iptables commands to vars

* Backported netfilter-persistent plugins from ipset-persistent for ipset persistence (Only for Ubuntu 18.04)

* add support for Ubuntu 20.04 LTS

* Update README

* update meta

.gitlab-ci.yml

@@ -31,7 +31,7 @@ variables:
     - cd ../
     # - mv ansible-role-$ROLE_NAME ryandaniels.$ROLE_NAME
     # - cd ryandaniels.$ROLE_NAME
-    - ln -s ansible-role-$ROLE_NAME ryandaniels.$ROLE_NAME
+    - ln -s ansible-role-iptables-docker ryandaniels.$ROLE_NAME
     - cd ryandaniels.$ROLE_NAME
   script:
     - ansible-lint

README.md

@@ -14,7 +14,11 @@ There could be unknown problems with this.. use at your own risk!
 See also: <https://ryandaniels.ca/blog/secure-docker-with-iptables-firewall-and-ansible/>  
 And about Docker's use of the INPUT chain: <https://ryandaniels.ca/blog/docker-iptables-input-chain/>
 
-Currently tested and working on CentOS/RHEL 7.  
+Currently tested and working on:
+
+* CentOS/RHEL 7
+* Ubuntu 18.04
+* Ubuntu 20.04
 
 ## Features
 
@@ -82,6 +86,8 @@ Tested in normal Docker mode, and with a 3 node Docker Swarm cluster.
 ## Distros tested
 
 * CentOS: 7.7, 7.8
+* Ubuntu 18.04
+* Ubuntu 20.04
 
 ## Dependencies
 
@@ -422,7 +428,7 @@ List iptables that are active:
 iptables -nvL --line-numbers
 ```
 
-Misc useful commands:
+Misc CentOS/RHEL useful commands:
 
 ```bash
 cat /etc/sysconfig/ipset.d/ip_allow.set
@@ -439,7 +445,20 @@ iptables -S DOCKER-USER
 iptables -S FILTERS
 ```
 
-## Manual Commands
+Misc Ubuntu useful commands:
+
+```bash
+vi /etc/iptables/ipsets
+#Manually add 'flush' before add, if removing IPs manually.
+
+/usr/sbin/netfilter-persistent reload
+
+cat /etc/iptables/ipsets
+
+cat /etc/iptables/rules.v4
+```
+
+## Manual Commands (CentOS/RHEL)
 
 Check what iptables rules you already have. Make note in case they are lost!
 
@@ -566,7 +585,7 @@ Don't miss the Warnings from above! Especially about SELinux.
 * [x] add automatic list of docker IPs in allowed list (uses IPs from inventory group docker_hosts)
 * [x] Change auto Docker server trusted IPs so can override
 * [x] confirm "when" and "tags" are ok
-* [ ] Ubuntu? Ubuntu doesn't have iptables-services or ipset-service. has iptables-persistent and ipset-? Easy to add ufw support?
+* [x] Ubuntu? Ubuntu doesn't have iptables-services or ipset-service. has iptables-persistent and ipset-? No ufw support
 * [ ] ipv6?? This is for ipv4 only
 * [x] test TCP, UDP Docker container and OS port work
 * [x] test outound traffic from Docker containers work

defaults/main.yml

@@ -15,11 +15,15 @@ iptables_docker_packages:
   - ipset
   - ipset-service
   - policycoreutils-python #required for semodule
+
 iptables_docker_copy_ipset_force: false
 iptables_docker_copy_iptables_force: false
+iptables_docker_iptables_persistent_svc: iptables
+iptables_docker_iptables_save_cmd: "/usr/libexec/iptables/iptables.init save"
 iptables_docker_iptables_config_save: /etc/sysconfig/iptables
 iptables_docker_iptables_config: /etc/sysconfig/iptables-config
 iptables_docker_ipset_config_dir: /etc/sysconfig/ipset.d
+iptables_docker_ipset_save_file: ip_allow.set
 iptables_docker_ipset_maxelem: 65536
 
 # Optional override. If not set, IPs will be determined from docker_hosts group in Ansible inventory

files/ubuntu/iptables-persistent_1.0.14/LICENSE

@@ -0,0 +1,25 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: iptables-persistent
+Upstream-Contact: Jonathan Wiltshire <[email protected]>
+
+Files: *
+Copyright: © 2009, Simon Richter <[email protected]>
+           © 2010, Chris Silva <[email protected]>
+           © 2010, Jonathan Wiltshire <[email protected]>
+           © 2018, gustavo panizzo <[email protected]>
+License: GPL-3
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in `/usr/share/common-licenses/GPL-3'.

files/ubuntu/iptables-persistent_1.0.14/plugins/10-ipset

@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# This file is part of netfilter-persistent
+# (was iptables-persistent)
+# Copyright (C) 2018, gustavo panizzo <[email protected]>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation, either version 3
+# of the License, or (at your option) any later version.
+
+# This script saves and/or restores ipset(s) to/from a file
+# Flush is implemented in another script, as it has to run after
+# iptables flush
+
+set -e
+
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
+# Create the ipsets and populate them
+load_sets ()
+{
+    #load ipset rules
+    if [ ! -f /etc/iptables/ipsets ]; then
+        echo "Warning: skipping IPv4 (no rules to load)"
+    else
+        ipset restore -exist < /etc/iptables/ipsets
+    fi
+}
+
+# Save current contents of the ipsets to file
+save_sets ()
+{
+    if [ ! "${IPSET_SKIP_SAVE}x" = "yesx" ]; then
+        touch /etc/iptables/ipsets
+        chmod 0640 /etc/iptables/ipsets
+        ipset save > /etc/iptables/ipsets
+    fi
+}
+
+# flush sets
+flush_sets ()
+{
+    :
+}
+
+
+case "$1" in
+start|restart|reload|force-reload)
+    load_sets
+    ;;
+save)
+    save_sets
+    ;;
+stop)
+    # While it makes sense to stop (delete) ipsets we keep the same
+    # semanthics as ip(6)?tables rules
+    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+    ;;
+flush)
+    flush_sets
+    ;;
+*)
+    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
+    exit 1
+    ;;
+esac

files/ubuntu/iptables-persistent_1.0.14/plugins/15-ip4tables

@@ -0,0 +1,78 @@
+#!/bin/sh
+
+# This file is part of netfilter-persistent
+# (was iptables-persistent)
+# Copyright (C) 2009, Simon Richter <[email protected]>
+# Copyright (C) 2010, 2014 Jonathan Wiltshire <[email protected]>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation, either version 3
+# of the License, or (at your option) any later version.
+
+set -e
+
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Source configuration
+if [ -f "/etc/default/netfilter-persistent" ]; then
+    . /etc/default/netfilter-persistent
+fi
+
+load_rules()
+{
+    #load IPv4 rules
+    if [ ! -f /etc/iptables/rules.v4 ]; then
+        echo "Warning: skipping IPv4 (no rules to load)"
+    else
+        iptables-restore < /etc/iptables/rules.v4
+    fi
+}
+
+save_rules()
+{
+    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
+        touch /etc/iptables/rules.v4
+        chmod 0640 /etc/iptables/rules.v4
+        iptables-save > /etc/iptables/rules.v4
+    fi
+}
+
+flush_rules()
+{
+    TABLES=$(iptables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(iptables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            iptables -t $table -P $chain ACCEPT || true
+        done
+        iptables -t $table -F
+        iptables -t $table -Z
+        iptables -t $table -X
+    done
+}
+
+case "$1" in
+start|restart|reload|force-reload)
+    load_rules
+    ;;
+save)
+    save_rules
+    ;;
+stop)
+    # Why? because if stop is used, the firewall gets flushed for a variable
+    # amount of time during package upgrades, leaving the machine vulnerable
+    # It's also not always desirable to flush during purge
+    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+    ;;
+flush)
+    flush_rules
+    ;;
+*)
+    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
+    exit 1
+    ;;
+esac

files/ubuntu/iptables-persistent_1.0.14/plugins/25-ip6tables

@@ -0,0 +1,76 @@
+#!/bin/sh
+
+# This file is part of netfilter-persistent
+# (was iptables-persistent)
+# Copyright (C) 2009, Simon Richter <[email protected]>
+# Copyright (C) 2010, 2014 Jonathan Wiltshire <[email protected]>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation, either version 3
+# of the License, or (at your option) any later version.
+
+set -e
+
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Exit fast if IPv6 is disabled
+test -e /proc/sys/net/ipv6 || exit 0
+
+load_rules()
+{
+    #load IPv6 rules
+    if [ ! -f /etc/iptables/rules.v6 ]; then
+        echo "Warning: skipping IPv6 (no rules to load)"
+    else
+        ip6tables-restore < /etc/iptables/rules.v6
+    fi
+}
+
+save_rules()
+{
+    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
+        touch /etc/iptables/rules.v6
+        ip6tables-save > /etc/iptables/rules.v6
+        chmod 0640 /etc/iptables/rules.v6
+    fi
+}
+
+flush_rules()
+{
+    TABLES=$(ip6tables-save | sed -E -n 's/^\*//p')
+    for table in $TABLES
+    do
+        CHAINS=$(ip6tables-save -t $table | sed -E -n 's/^:([A-Z]+).*/\1/p')
+        for chain in $CHAINS
+        do
+            # policy can't be set on user-defined chains
+            ip6tables -t $table -P $chain ACCEPT || true
+        done
+        ip6tables -t $table -F
+        ip6tables -t $table -Z
+        ip6tables -t $table -X
+    done
+}
+
+case "$1" in
+start|restart|reload|force-reload)
+    load_rules
+    ;;
+save)
+    save_rules
+    ;;
+stop)
+    # Why? because if stop is used, the firewall gets flushed for a variable
+    # amount of time during package upgrades, leaving the machine vulnerable
+    # It's also not always desirable to flush during purge
+    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+    ;;
+flush)
+    flush_rules
+    ;;
+*)
+    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
+    exit 1
+    ;;
+esac