64 lines
1.3 KiB
YAML
64 lines
1.3 KiB
YAML
|
---
|
||
|
|
- name: Allow related and established connections
|
||
|
|
ansible.builtin.iptables:
|
||
|
|
chain: INPUT
|
||
|
|
ctstate: ESTABLISHED,RELATED
|
||
|
|
jump: ACCEPT
|
||
|
|
comment: allow related and established connections
|
||
|
|
|
||
|
|
- name: Allow local connections
|
||
|
|
ansible.builtin.iptables:
|
||
|
|
chain: INPUT
|
||
|
|
in_interface: lo
|
||
|
|
jump: ACCEPT
|
||
|
|
comment: allow local connections
|
||
|
|
|
||
|
|
- name: Allow ping
|
||
|
|
ansible.builtin.iptables:
|
||
|
|
chain: INPUT
|
||
|
|
protocol: icmp
|
||
|
|
jump: ACCEPT
|
||
|
|
comment: allow ping from the world
|
||
|
|
|
||
|
|
- name: Deny input connections by default
|
||
|
|
ansible.builtin.iptables:
|
||
|
|
chain: INPUT
|
||
|
|
policy: DROP
|
||
|
|
|
||
|
|
- name: Allow SSH to VPN
|
||
|
|
ansible.builtin.iptables:
|
||
|
|
chain: OUTPUT
|
||
|
|
protocol: tcp
|
||
|
|
destination: "{{ openvpn_subnet }}"
|
||
|
|
destination_port: "22"
|
||
|
|
jump: ACCEPT
|
||
|
|
comment: allow ssh to vpn
|
||
|
|
|
||
|
|
- name: Deny SSH to the world
|
||
|
|
ansible.builtin.iptables:
|
||
|
|
chain: OUTPUT
|
||
|
|
protocol: tcp
|
||
|
|
destination_port: "22"
|
||
|
|
jump: DROP
|
||
|
|
comment: deny ssh to the world
|
||
|
|
|
||
|
|
- name: Deny IPv6 connections
|
||
|
|
ansible.builtin.iptables:
|
||
|
|
ip_version: ipv6
|
||
|
|
chain: "{{ item }}"
|
||
|
|
policy: DROP
|
||
|
|
loop:
|
||
|
|
- INPUT
|
||
|
|
- FORWARD
|
||
|
|
- OUTPUT
|
||
|
|
|
||
|
|
- name: Install netfilter-persistent
|
||
|
|
ansible.builtin.apt:
|
||
|
|
name:
|
||
|
|
- netfilter-persistent
|
||
|
|
- iptables-persistent
|
||
|
|
state: latest
|
||
|
|
|
||
|
|
- name: Save iptables
|
||
|
|
ansible.builtin.command: netfilter-persistent save
|