configurations-ansible/roles/iptables-basic/tasks/main.yml

---
# tasks file for firewall

- name: Setup iptables to standard configuration
  when:
    - "is_docker is not true"
    - "iptables_basic_enabled is true"
  block:
    - name: Reset configuration if requested
      when:
        - "iptables_basic_reset_enabled is true"
      block:
        - name: Open Firewall just for a moment to flush iptables rules
          ansible.builtin.iptables:
            chain: INPUT
            policy: ACCEPT

        - name: Iptables flush filter
          ansible.builtin.iptables:
            chain: "{{ item }}"
            flush: yes
          with_items:  [ 'INPUT', 'FORWARD', 'OUTPUT' ]

    - name: Allow related and established connections
      ansible.builtin.iptables:
        chain: INPUT
        ctstate: ESTABLISHED,RELATED
        jump: ACCEPT

    - name: Drop invalid connections
      ansible.builtin.iptables:
        chain: INPUT
        ctstate: INVALID
        jump: DROP

    - name: Allow lo incoming connections
      ansible.builtin.iptables:
        chain: INPUT
        in_interface: lo
        jump: ACCEPT

    - name: Allow new incoming SYN packets on TCP port 22 (SSH)
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
        destination_port: "{{ iptables_basic_ssh_port }}"
        ctstate: NEW
        syn: match
        jump: ACCEPT
        comment: Accept new SSH connections.

    - name: Set the policy for the INPUT chain to DROP
      ansible.builtin.iptables:
        chain: INPUT
        policy: DROP

    - name: Set the policy for the FORWARD chain to DROP
      ansible.builtin.iptables:
        chain: FORWARD
        policy: DROP

    - name: Drop unencrypted port 25 in output
      when: "iptables_basic_drop_unencrypted_smtp_port is true"
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: tcp
        destination_port: 25
        jump: REJECT
        reject_with: icmp-port-unreachable

    - name: iptables-persistent
      ansible.builtin.include_role:
        name: iptables-persistent