90 lines
1.7 KiB
YAML
90 lines
1.7 KiB
YAML
---
|
|
- name: Install iptables packages
|
|
apt:
|
|
name: iptables-persistent
|
|
state: present
|
|
|
|
- name: Allow all loopback traffic
|
|
iptables:
|
|
chain: INPUT
|
|
in_interface: lo
|
|
jump: ACCEPT
|
|
notify: Persist iptables
|
|
|
|
- name: Allow port ping traffic
|
|
iptables:
|
|
chain: INPUT
|
|
jump: ACCEPT
|
|
protocol: icmp
|
|
notify: Persist iptables
|
|
|
|
- name: Allow related and established connections
|
|
iptables:
|
|
chain: INPUT
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
notify: Persist iptables
|
|
|
|
- name: Allow SSH
|
|
iptables:
|
|
chain: INPUT
|
|
destination_port: 22
|
|
jump: ACCEPT
|
|
protocol: tcp
|
|
notify: Persist iptables
|
|
|
|
- name: Allow web
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 80
|
|
jump: ACCEPT
|
|
notify: Persist iptables
|
|
|
|
- name: Allow admin web (nginx proxy)
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 81
|
|
jump: ACCEPT
|
|
notify: Persist iptables
|
|
|
|
- name: Allow dns
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 53
|
|
jump: ACCEPT
|
|
notify: Persist iptables
|
|
|
|
- name: Allow dns (udp)
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: udp
|
|
destination_port: 53
|
|
jump: ACCEPT
|
|
notify: Persist iptables
|
|
|
|
- name: Allow related and established connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
|
|
- name: Set the policy for the INPUT chain to DROP
|
|
iptables:
|
|
chain: INPUT
|
|
policy: DROP
|
|
notify: Persist iptables
|
|
|
|
- name: Set the policy for the FORWARD chain to DROP
|
|
iptables:
|
|
chain: FORWARD
|
|
policy: DROP
|
|
notify: Persist iptables
|
|
|
|
- name: Set the policy for the OUTPUT chain to ACCEPT
|
|
iptables:
|
|
chain: OUTPUT
|
|
policy: ACCEPT
|
|
notify: Persist iptables
|