Fix iptables entries again

bubble-server/src/main/resources/ansible/roles/finalizer/tasks/firewall.yml → bubble-server/src/main/resources/ansible/roles/algo/tasks/algo_firewall.yml

@@ -3,39 +3,41 @@
 #
 # Insert additional firewall rules to allow required services to function
 # Insert them all on rule_num 5, and insert them in reverse order here:
-- name: Allow HTTPS on port {{ item }}
+- name: Allow SSH
   iptables:
     chain: INPUT
-    action: used_iptabples_action
-    rule_num: 5
     protocol: tcp
-    destination_port: {{ item }}
+    destination_port: 22
     ctstate: NEW
     syn: match
     jump: ACCEPT
-    comment: Accept new HTTPS ({{ item }}) connections
-  with_items:
-    - 1443
-    - 443
+    comment: Accept new SSH connections
   become: yes
 
-- name: Allow HTTP on port {{ item }}
+- name: "Allow HTTP on port {{ item }}"
   iptables:
     chain: INPUT
-    action: used_iptabples_action
-    rule_num: 5
     protocol: tcp
-    destination_port: {{ item }}
+    destination_port: "{{ item }}"
     ctstate: NEW
     syn: match
     jump: ACCEPT
-    comment: Accept new HTTP ({{ item }}) connections
+    comment: "Accept new HTTP ({{ item }}) connections"
   with_items:
-    - 1080
     - 80
+    - 1080
   become: yes
 
-- name: Restart iptables
-  service:
-    name: netfilter-persistent
-    state: restarted
+- name: "Allow HTTPS on port {{ item }}"
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item }}"
+    ctstate: NEW
+    syn: match
+    jump: ACCEPT
+    comment: "Accept new HTTPS ({{ item }}) connections"
+  with_items:
+    - 443
+    - 1443
+  become: yes

bubble-server/src/main/resources/ansible/roles/algo/tasks/main.yml

@@ -16,3 +16,7 @@
 - name: Run algo playbook to install algo
   shell: /root/ansible/roles/algo/algo/install_algo.sh
   tags: algo_related
+
+# Algo installation clears out iptable rules. Add needed bubble rules back:
+- include: algo_firewall.yml
+  tags: algo_related

bubble-server/src/main/resources/ansible/roles/finalizer/tasks/main.yml

@@ -25,9 +25,10 @@
     src: "supervisor_bubble.conf.j2"
     dest: /etc/supervisor/conf.d/bubble.conf
 
-- include: firewall.yml
-  vars:
-    used_iptabples_action: "{{ 'append' if restore_key is defined else 'insert' }}"
+- name: Restart iptables
+  service:
+    name: netfilter-persistent
+    state: restarted
 
 # We cannot receive notifications until nginx is running, so start bubble API as the very last step
 - name: reload supervisord

bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml

@@ -34,8 +34,6 @@
 - name: Allow MITM private port
   iptables:
     chain: INPUT
-    action: insert
-    rule_num: 5
     protocol: tcp
     destination_port: 8888
     ctstate: NEW

bubble-server/src/main/resources/packer/roles/firewall/tasks/rules.yml

@@ -29,30 +29,30 @@
   become: yes
   when: fw_enable_ssh
 
-- name: Allow HTTP on port {{ item }}
+- name: "Allow HTTP on port {{ item }}"
   iptables:
     chain: INPUT
     protocol: tcp
-    destination_port: {{ item }}
+    destination_port: "{{ item }}"
     ctstate: NEW
     syn: match
     jump: ACCEPT
-    comment: Accept new HTTP ({{ item }}) connections
+    comment: "Accept new HTTP ({{ item }}) connections"
   with_items:
     - 80
     - 1080
   become: yes
   when: fw_enable_http
 
-- name: Allow HTTPS on port {{ item }}
+- name: "Allow HTTPS on port {{ item }}"
   iptables:
     chain: INPUT
     protocol: tcp
-    destination_port: {{ item }}
+    destination_port: "{{ item }}"
     ctstate: NEW
     syn: match
     jump: ACCEPT
-    comment: Accept new HTTPS ({{ item }}) connections
+    comment: "Accept new HTTPS ({{ item }}) connections"
   with_items:
     - 443
     - 1443