From 8fee45bafadd0b86e902d439149f58b95c971ee5 Mon Sep 17 00:00:00 2001
From: Nils Cant <nils@vargen.io>
Date: Wed, 28 Aug 2019 11:15:00 +0200
Subject: [PATCH] Initial commit

---
 .gitignore            |  1 +
 defaults/main.yml     | 26 ++++++++++++++++++++++++++
 handlers/main.yml     |  2 ++
 tasks/main.yml        | 15 +++++++++++++++
 templates/rules-v4.j2 | 13 +++++++++++++
 templates/rules-v6.j2 | 13 +++++++++++++
 6 files changed, 70 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/rules-v4.j2
 create mode 100644 templates/rules-v6.j2

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..1377554
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.swp
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..18cdf4b
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,26 @@
+iptables_rules_v4:
+  filter:
+    INPUT:
+      policy: DROP
+      rules:
+        - "-i lo -j ACCEPT"
+        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        - "-p icmp -m icmp --icmp-type any -j ACCEPT"
+        - "-p tcp -m tcp --dport 22 -j ACCEPT"
+    FORWARD:
+      policy: ACCEPT
+    OUTPUT:
+      policy: ACCEPT
+iptables_rules_v6:
+  filter:
+    INPUT:
+      policy: DROP
+      rules:
+        - "-i lo -j ACCEPT"
+        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        - "-p ipv6-icmp -j ACCEPT"
+        - "-p tcp -m tcp --dport 22 -j ACCEPT"
+    FORWARD:
+      policy: ACCEPT
+    OUTPUT:
+      policy: ACCEPT
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..22d75a1
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Reload netfilter-persistent
+  command: netfilter-persistent reload
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..7a7c139
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: install iptables-persistent
+  apt:
+    name: iptables-persistent
+
+- name: rules.v4
+  template:
+    src: rules-v4.j2
+    dest: /etc/iptables/rules.v4
+  notify: Reload netfilter-persistent
+
+- name: rules.v6
+  template:
+    src: rules-v6.j2
+    dest: /etc/iptables/rules.v6
+  notify: Reload netfilter-persistent
diff --git a/templates/rules-v4.j2 b/templates/rules-v4.j2
new file mode 100644
index 0000000..8ff0ee3
--- /dev/null
+++ b/templates/rules-v4.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+{% for table in iptables_rules_v4 %}
+*{{ table }}
+{% for chain in iptables_rules_v4[table] %}
+:{{ chain }} {{ iptables_rules_v4[table][chain]['policy'] | default('ACCEPT') }} [0:0]
+{% if iptables_rules_v4[table][chain]['rules'] is defined %}
+{% for rule in iptables_rules_v4[table][chain]['rules'] %}
+-A {{ chain }} {{ rule }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+COMMIT
diff --git a/templates/rules-v6.j2 b/templates/rules-v6.j2
new file mode 100644
index 0000000..4fcc33c
--- /dev/null
+++ b/templates/rules-v6.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+{% for table in iptables_rules_v6 %}
+*{{ table }}
+{% for chain in iptables_rules_v6[table] %}
+:{{ chain }} {{ iptables_rules_v6[table][chain]['policy'] }} [0:0]
+{% if iptables_rules_v6[table][chain]['rules'] is defined %}
+{% for rule in iptables_rules_v6[table][chain]['rules'] %}
+-A {{ chain }} {{ rule }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+COMMIT