Initial commit

roles/firewall/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: Persist iptables
+  shell:
+    cmd: iptables-save > /etc/iptables/rules.v4

roles/firewall/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+- name: Install iptables packages
+  apt:
+    name: iptables-persistent
+    state: present
+
+- name: Allow all loopback traffic
+  iptables:
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow port ping traffic
+  iptables:
+    chain: INPUT
+    jump: ACCEPT
+    protocol: icmp
+  notify: Persist iptables
+
+- name: Allow related and established connections
+  iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow SSH
+  iptables:
+    chain: INPUT
+    destination_port: 22
+    jump: ACCEPT
+    protocol: tcp
+  notify: Persist iptables
+
+- name: Allow web
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 80
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow dns
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 53
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow dns (udp)
+  iptables:
+    chain: INPUT
+    protocol: udp
+    destination_port: 53
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow related and established connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+
+- name: Set the policy for the INPUT chain to DROP
+  iptables:
+    chain: INPUT
+    policy: DROP
+  notify: Persist iptables
+
+- name: Set the policy for the FORWARD chain to DROP
+  iptables:
+    chain: FORWARD
+    policy: DROP
+  notify: Persist iptables
+
+- name: Set the policy for the OUTPUT chain to ACCEPT
+  iptables:
+    chain: OUTPUT
+    policy: ACCEPT
+  notify: Persist iptables