Initial commit

2019-08-28 11:15:00 +02:00
parent 827e5cd149
commit 8fee45bafa
6 changed files with 70 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+*.swp
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -0,0 +1,26 @@
+iptables_rules_v4:
+  filter:
+    INPUT:
+      policy: DROP
+      rules:
+        - "-i lo -j ACCEPT"
+        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        - "-p icmp -m icmp --icmp-type any -j ACCEPT"
+        - "-p tcp -m tcp --dport 22 -j ACCEPT"
+    FORWARD:
+      policy: ACCEPT
+    OUTPUT:
+      policy: ACCEPT
+iptables_rules_v6:
+  filter:
+    INPUT:
+      policy: DROP
+      rules:
+        - "-i lo -j ACCEPT"
+        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        - "-p ipv6-icmp -j ACCEPT"
+        - "-p tcp -m tcp --dport 22 -j ACCEPT"
+    FORWARD:
+      policy: ACCEPT
+    OUTPUT:
+      policy: ACCEPT
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Reload netfilter-persistent
+  command: netfilter-persistent reload
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: install iptables-persistent
+  apt:
+    name: iptables-persistent
+
+- name: rules.v4
+  template:
+    src: rules-v4.j2
+    dest: /etc/iptables/rules.v4
+  notify: Reload netfilter-persistent
+
+- name: rules.v6
+  template:
+    src: rules-v6.j2
+    dest: /etc/iptables/rules.v6
+  notify: Reload netfilter-persistent
--- a/templates/rules-v4.j2
+++ b/templates/rules-v4.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+{% for table in iptables_rules_v4 %}
+*{{ table }}
+{% for chain in iptables_rules_v4[table] %}
+:{{ chain }} {{ iptables_rules_v4[table][chain]['policy'] | default('ACCEPT') }} [0:0]
+{% if iptables_rules_v4[table][chain]['rules'] is defined %}
+{% for rule in iptables_rules_v4[table][chain]['rules'] %}
+-A {{ chain }} {{ rule }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+COMMIT
--- a/templates/rules-v6.j2
+++ b/templates/rules-v6.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+{% for table in iptables_rules_v6 %}
+*{{ table }}
+{% for chain in iptables_rules_v6[table] %}
+:{{ chain }} {{ iptables_rules_v6[table][chain]['policy'] }} [0:0]
+{% if iptables_rules_v6[table][chain]['rules'] is defined %}
+{% for rule in iptables_rules_v6[table][chain]['rules'] %}
+-A {{ chain }} {{ rule }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+COMMIT