configurations-ansible/roles/iptables-basic/tasks/main.yml

76 lines
2.1 KiB
YAML
Raw Permalink Normal View History

---
# tasks file for firewall
- ansible.builtin.debug:
msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration"
- when:
- "is_docker is not true"
- "iptables_basic_enabled is true"
block:
- name: Reset configuration if requested
when:
- "'global.uninstall' in ansible_run_tags"
block:
- name: Open Firewall just for a moment to flush iptables rules
ansible.builtin.iptables:
chain: INPUT
policy: ACCEPT
- name: Iptables flush filter
ansible.builtin.iptables:
chain: "{{ item }}"
flush: yes
with_items: [ 'INPUT', 'FORWARD', 'OUTPUT' ]
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Drop invalid connections
ansible.builtin.iptables:
chain: INPUT
ctstate: INVALID
jump: DROP
- name: Allow lo incoming connections
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Allow new incoming SYN packets on TCP port 22 (SSH)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
2022-11-21 16:52:36 +01:00
destination_port: "{{ sshd_port }}"
ctstate: NEW
syn: match
jump: ACCEPT
comment: Accept new SSH connections.
- name: Set the policy for the INPUT chain to DROP
ansible.builtin.iptables:
chain: INPUT
policy: DROP
- name: Set the policy for the FORWARD chain to DROP
ansible.builtin.iptables:
chain: FORWARD
policy: DROP
- name: Drop unencrypted port 25 in output
when: "iptables_basic_drop_unencrypted_smtp_port is true"
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 25
jump: REJECT
reject_with: icmp-port-unreachable
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent