# ansible-role-iptables

This role installs the netfilter-persistent package on a Debian system. (Tested on Buster)
It uses templates to fill in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

## Defaults

The roles is configured with the following default rules:

```
iptables_rules_v4:
  filter:
    INPUT:
      policy: DROP
      rules:
        - "-i lo -j ACCEPT"
        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
        - "-p icmp -m icmp --icmp-type any -j ACCEPT"
        - "-p tcp -m tcp --dport 22 -j ACCEPT"
    FORWARD:
      policy: ACCEPT
    OUTPUT:
      policy: ACCEPT
iptables_rules_v6:
  filter:
    INPUT:
      policy: DROP
      rules:
        - "-i lo -j ACCEPT"
        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
        - "-p ipv6-icmp -j ACCEPT"
        - "-p tcp -m tcp --dport 22 -j ACCEPT"
    FORWARD:
      policy: ACCEPT
    OUTPUT:
      policy: ACCEPT
```

## Usage

It makes sense to copy the defaults into a host_vars or group_vars file in your inventory, and then update the rule definitions as required:

inventory/host_vars/myhost/iptables.yml:

```
iptables_rules_v4:
  filter:
    INPUT:
      policy: DROP
      rules:
        - "-i lo -j ACCEPT"
        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
        - "-p icmp -m icmp --icmp-type any -j ACCEPT"
        - "-p tcp -m tcp --dport 22 -j ACCEPT"
        - "-p tcp -m tcp --dport 80 -j ACCEPT"
        - "-p tcp -m tcp --dport 443 -j ACCEPT"
    FORWARD:
      policy: ACCEPT
    OUTPUT:
      policy: ACCEPT
iptables_rules_v6:
  filter:
    INPUT:
      policy: DROP
      rules:
        - "-i lo -j ACCEPT"
        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
        - "-p ipv6-icmp -j ACCEPT"
        - "-p tcp -m tcp --dport 22 -j ACCEPT"
        - "-p tcp -m tcp --dport 80 -j ACCEPT"
        - "-p tcp -m tcp --dport 443 -j ACCEPT"
    FORWARD:
      policy: ACCEPT
    OUTPUT:
      policy: ACCEPT
```

## Optional reload

By default, the ruleset will be (re)loaded at boottime and on every update to /etc/iptables/rules.v4 or /etc/iptables/rules.v6. On systems that dynamically create iptables rules (fail2ban, docker...) you may want to skip the reload of iptables, as it will break those dynamically created rules.

iptables_reload_on_update: false

## Example playbook

```
- hosts:
  - hostname
  roles:
  - role: iptables
    tags:
    - iptables
```