46 lines
1.2 KiB
YAML
46 lines
1.2 KiB
YAML
- name: IPTables rules
|
|
block:
|
|
- name: Install netfilter-persistent
|
|
apt:
|
|
name: netfilter-persistent
|
|
state: present
|
|
- name: Allow related and established connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
become: yes
|
|
- name: Allow new incoming SYN packets on specified port
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: "{{ SSH_PORT }}"
|
|
ctstate: NEW
|
|
syn: match
|
|
jump: ACCEPT
|
|
- name: Allow ICMP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: icmp
|
|
jump: ACCEPT
|
|
- name: Allow 80, 443 connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_ports:
|
|
- "80"
|
|
- "443"
|
|
jump: ACCEPT
|
|
- name: Allow loopback in
|
|
shell:
|
|
cmd: iptables -A INPUT -i lo -j ACCEPT
|
|
- name: Allow loopback out
|
|
shell:
|
|
cmd: iptables -A OUTPUT -o lo -j ACCEPT
|
|
- name: INPUT DROP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
policy: DROP
|
|
- name: Save iptables rules
|
|
shell:
|
|
cmd: netfilter-persistent save |