73 lines
2 KiB
YAML
73 lines
2 KiB
YAML
---
|
|
# tasks file for firewall
|
|
|
|
- name: Setup iptables to standard configuration
|
|
when:
|
|
- "is_docker is not true"
|
|
- "iptables_basic_enabled is true"
|
|
block:
|
|
- name: Reset configuration if requested
|
|
when:
|
|
- "iptables_basic_reset_enabled is true"
|
|
block:
|
|
- name: Open Firewall just for a moment to flush iptables rules
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
policy: ACCEPT
|
|
|
|
- name: Iptables flush filter
|
|
ansible.builtin.iptables:
|
|
chain: "{{ item }}"
|
|
flush: yes
|
|
with_items: [ 'INPUT', 'FORWARD', 'OUTPUT' ]
|
|
|
|
- name: Allow related and established connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
|
|
- name: Drop invalid connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
ctstate: INVALID
|
|
jump: DROP
|
|
|
|
- name: Allow lo incoming connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
in_interface: lo
|
|
jump: ACCEPT
|
|
|
|
- name: Allow new incoming SYN packets on TCP port 22 (SSH)
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: "{{ iptables_basic_ssh_port }}"
|
|
ctstate: NEW
|
|
syn: match
|
|
jump: ACCEPT
|
|
comment: Accept new SSH connections.
|
|
|
|
- name: Set the policy for the INPUT chain to DROP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
policy: DROP
|
|
|
|
- name: Set the policy for the FORWARD chain to DROP
|
|
ansible.builtin.iptables:
|
|
chain: FORWARD
|
|
policy: DROP
|
|
|
|
- name: Drop unencrypted port 25 in output
|
|
when: "iptables_basic_drop_unencrypted_smtp_port is true"
|
|
ansible.builtin.iptables:
|
|
chain: OUTPUT
|
|
protocol: tcp
|
|
destination_port: 25
|
|
jump: REJECT
|
|
reject_with: icmp-port-unreachable
|
|
|
|
- name: iptables-persistent
|
|
ansible.builtin.include_role:
|
|
name: iptables-persistent
|