-- name: Install iptables and fail2ban
+- name: Install fail2ban and nftables
become: true
apt:
cache_valid_time: 3600
install_recommends: no
- name: ['iptables', 'fail2ban']
+ name: ['fail2ban', 'nftables']
state: latest
update_cache: yes
notify: Restart firewall
+- name: "Change /etc/fail2ban/jail.conf (iptables -> nftables)"
+ become: true
+ lineinfile:
+ path: /etc/fail2ban/jail.conf
+ regexp: '^banaction = iptables-multiport$'
+ line: 'banaction = nftables-multiport'
+ notify: Restart firewall
+- become: true
+ lineinfile:
+ path: /etc/fail2ban/jail.conf
+ regexp: '^banaction = iptables-multiport-log$'
+ line: 'banaction = nftables-multiport'
+ notify: Restart firewall
+- become: true
+ lineinfile:
+ path: /etc/fail2ban/jail.conf
+ regexp: '^banaction_allports = iptables-allports$'
+ line: 'banaction_allports = nftables-allports'
+ notify: Restart firewall
+
- name: Configure Debian firewall
become: true
copy:
path: /etc/network/functions.phd
mode: '0640'
notify: Restart firewall
+
+- name: Remove iptables leftovers
+ become: true
+ file:
+ path: /etc/init.d/iptables.sh
+ state: absent
+
+- name: Prevent fail2ban from autostarting
+ become: true
+ command: update-rc.d fail2ban remove