Merge pull request #5780 from freedomofpress/5776-iptables-persistent…

…-for-focal Fixes #5776 adds iptables-persistent dependency on Focal
freedomofpress · Feb 11, 2021 · 240a9a9 · 240a9a9
2 parents fc6753e + 8e10aec
commit 240a9a9
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 5 deletions.
diff --git a/install_files/ansible-base/roles/app/handlers/main.yml b/install_files/ansible-base/roles/app/handlers/main.yml
@@ -5,9 +5,6 @@
     name: tor
     state: restarted
 
-- name: reload iptables rules
-  shell: iptables-restore < /etc/network/iptables/rules_v4
-
 ## App/securedrop section
 - name: restart apache2
   service:

diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
@@ -9,6 +9,7 @@ resolvconf_target_filepath: /etc/resolv.conf
 securedrop_common_packages:
   - apt-transport-https
   - aptitude
+  - iptables-persistent
   - unattended-upgrades
   - ntp
   - ntpdate

diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
@@ -27,6 +27,8 @@
     dest: /etc/network/if-up.d/load_iptables
     owner: root
     mode: "0744"
+  when:
+    - ansible_distribution_release == 'xenial'
 
 - name: Create iptables directory.
   file:
@@ -35,6 +37,8 @@
     owner: root
     group: root
     dest: /etc/network/iptables
+  when:
+    - ansible_distribution_release == 'xenial'
 
 - name: Determine local platform specific routing info
   set_fact:
@@ -59,14 +63,14 @@
 - name: Copy IPv4 iptables rules.
   template:
     src: rules_v4
-    dest: /etc/network/iptables/rules_v4
+    dest: "{{ iptables_v4_path }}"
     owner: root
     mode: "0644"
   notify: drop flag for reboot
 
 - name: Copy IPv6 iptables rules.
   copy:
     src: iptables_rules_v6
-    dest: /etc/network/iptables/rules_v6
+    dest: "{{ iptables_v6_path }}"
     owner: root
     mode: "0644"
diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
@@ -1,4 +1,6 @@
 ---
+- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
+
 - include: fetch_tor_config.yml
   when: fetch_tor_client_auth_configs
 

diff --git a/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_focal.yml
@@ -0,0 +1,3 @@
+---
+iptables_v4_path: /etc/iptables/rules.v4
+iptables_v6_path: /etc/iptables/rules.v6
diff --git a/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_xenial.yml b/install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_xenial.yml
@@ -0,0 +1,3 @@
+---
+iptables_v4_path: /etc/network/iptables/rules_v4
+iptables_v6_path: /etc/network/iptables/rules_v6
diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
@@ -154,3 +154,14 @@ def test_no_ecrypt_messages_in_logs(host, logfile):
 def test_unused_packages_are_removed(host, package):
     """ Check if unused package is present """
     assert host.package(package).is_installed is False
+
+
+def test_iptables_packages(host):
+    """
+    Focal hosts should use iptables-persistent for enforcing
+    firewall config across reboots.
+    """
+    if host.system_info.codename == "focal":
+        assert host.package("iptables-persistent").is_installed
+    else:
+        assert not host.package("iptables-persistent").is_installed