configurations-ansible/roles/iptables-basic/tasks/main.yml

73 lines
2 KiB
YAML

---
# tasks file for firewall
- name: Setup iptables to standard configuration
when:
- "is_docker is not true"
- "iptables_basic_enabled is true"
block:
- name: Reset configuration if requested
when:
- "iptables_basic_reset_enabled is true"
block:
- name: Open Firewall just for a moment to flush iptables rules
ansible.builtin.iptables:
chain: INPUT
policy: ACCEPT
- name: Iptables flush filter
ansible.builtin.iptables:
chain: "{{ item }}"
flush: yes
with_items: [ 'INPUT', 'FORWARD', 'OUTPUT' ]
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Drop invalid connections
ansible.builtin.iptables:
chain: INPUT
ctstate: INVALID
jump: DROP
- name: Allow lo incoming connections
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Allow new incoming SYN packets on TCP port 22 (SSH)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ iptables_basic_ssh_port }}"
ctstate: NEW
syn: match
jump: ACCEPT
comment: Accept new SSH connections.
- name: Set the policy for the INPUT chain to DROP
ansible.builtin.iptables:
chain: INPUT
policy: DROP
- name: Set the policy for the FORWARD chain to DROP
ansible.builtin.iptables:
chain: FORWARD
policy: DROP
- name: Drop unencrypted port 25 in output
when: "iptables_basic_drop_unencrypted_smtp_port is true"
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 25
jump: REJECT
reject_with: icmp-port-unreachable
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent