---
- name: Allow related and established connections
  ansible.builtin.iptables:
    chain: INPUT
    ctstate: ESTABLISHED,RELATED
    jump: ACCEPT
    comment: allow related and established connections

- name: Allow local connections
  ansible.builtin.iptables:
    chain: INPUT
    in_interface: lo
    jump: ACCEPT
    comment: allow local connections

- name: Allow ping
  ansible.builtin.iptables:
    chain: INPUT
    protocol: icmp
    jump: ACCEPT
    comment: allow ping from the world

- name: Deny input connections by default
  ansible.builtin.iptables: 
    chain: INPUT
    policy: DROP

- name: Allow SSH to VPN
  ansible.builtin.iptables:
    chain: OUTPUT
    protocol: tcp
    destination: "{{ openvpn_subnet }}"
    destination_port: "22"
    jump: ACCEPT
    comment: allow ssh to vpn

- name: Deny SSH to the world
  ansible.builtin.iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: "22"
    jump: DROP
    comment: deny ssh to the world

- name: Deny IPv6 connections
  ansible.builtin.iptables:
    ip_version: ipv6
    chain: "{{ item }}"
    policy: DROP
  loop:
    - INPUT
    - FORWARD
    - OUTPUT

- name: Install netfilter-persistent
  ansible.builtin.apt:
    name:
      - netfilter-persistent
      - iptables-persistent
    state: latest

- name: Save iptables
  ansible.builtin.command: netfilter-persistent save