-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathiptables.yml
113 lines (102 loc) · 2.26 KB
/
iptables.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
- hosts: linux
become: yes
vars:
default_policy: "ACCEPT"
loopback_iface: lo
trusted_networks:
# In AS278 we trust
- "132.247.0.0/16"
- "132.248.0.0/16"
- "192.100.199.0/24"
- "192.100.200.0/24"
tasks:
- name: Apply default INPUT and OUTPUT policy
iptables:
chain: "{{ item }}"
policy: "{{ default_policy }}"
with_items:
- "INPUT"
- "OUTPUT"
- name: Reset iptables counters
command: iptables -t "{{ item }}" -Z
with_items:
- "filter"
# - "nat"
# - "mangle"
# - "raw"
# - "security"
- name: Flush current rules
iptables:
flush: True
table: "{{ item }}"
with_items:
- "filter"
# - "nat"
# - "mangle"
# - "raw"
# - "security"
- name: Allow INPUT loopback traffic
iptables:
table: "filter"
chain: "INPUT"
in_interface: "{{ loopback_iface }}"
jump: "ACCEPT"
- name: Allow OUTPUT loopback traffic
iptables:
table: "filter"
chain: "OUTPUT"
out_interface: "{{ loopback_iface }}"
jump: "ACCEPT"
- name: Allow ESTABLISHED and RELATED connections
iptables:
table: "filter"
chain: "INPUT"
ctstate: "ESTABLISHED,RELATED"
jump: "ACCEPT"
- name: Allow ICMP traffic
iptables:
table: "filter"
chain: "INPUT"
protocol: "icmp"
jump: "ACCEPT"
- name: Allow traffic from trusted networks
iptables:
table: "filter"
chain: "INPUT"
source: "{{ item }}"
jump: "ACCEPT"
with_items:
- "{{ trusted_networks }}"
- name: Allow traffic on public ports
iptables:
table: "filter"
chain: "INPUT"
destination_port: "{{ item.port }}"
protocol: "{{ item.protocol }}"
state: "{{ item.state }}"
jump: "ACCEPT"
with_items:
- {
port: 22 ,
protocol: "tcp" ,
state: "absent"
}
- {
port: 80 ,
protocol: "tcp" ,
state: "present"
}
- {
port: 443 ,
protocol: "tcp" ,
state: "present"
}
- name: Block other traffic
iptables:
table: "filter"
chain: "INPUT"
jump: "REJECT"
- name: List current iptables rules
command: iptables-save
register: output
- debug: var=output.stdout_lines