--- # tasks file for firewall - ansible.builtin.debug: msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration" - when: - "is_docker is not true" - "iptables_basic_enabled is true" block: - name: Reset configuration if requested when: - "'global.uninstall' in ansible_run_tags" block: - name: Open Firewall just for a moment to flush iptables rules ansible.builtin.iptables: chain: INPUT policy: ACCEPT - name: Iptables flush filter ansible.builtin.iptables: chain: "{{ item }}" flush: yes with_items: [ 'INPUT', 'FORWARD', 'OUTPUT' ] - name: Allow related and established connections ansible.builtin.iptables: chain: INPUT ctstate: ESTABLISHED,RELATED jump: ACCEPT - name: Drop invalid connections ansible.builtin.iptables: chain: INPUT ctstate: INVALID jump: DROP - name: Allow lo incoming connections ansible.builtin.iptables: chain: INPUT in_interface: lo jump: ACCEPT - name: Allow new incoming SYN packets on TCP port 22 (SSH) ansible.builtin.iptables: chain: INPUT protocol: tcp destination_port: "{{ sshd_port }}" ctstate: NEW syn: match jump: ACCEPT comment: Accept new SSH connections. - name: Set the policy for the INPUT chain to DROP ansible.builtin.iptables: chain: INPUT policy: DROP - name: Set the policy for the FORWARD chain to DROP ansible.builtin.iptables: chain: FORWARD policy: DROP - name: Drop unencrypted port 25 in output when: "iptables_basic_drop_unencrypted_smtp_port is true" ansible.builtin.iptables: chain: OUTPUT protocol: tcp destination_port: 25 jump: REJECT reject_with: icmp-port-unreachable - name: iptables-persistent ansible.builtin.include_role: name: iptables-persistent