Browse Source

Initial import for iptables

main
Daniele Tricoli 2 years ago
parent
commit
968a190099
  1. 1
      .gitignore
  2. 69
      roles/iptables/tasks/main.yml
  3. 10
      tests/Vagrantfile
  4. 5
      tests/test.yml

1
.gitignore

@ -0,0 +1 @@
.vagrant

69
roles/iptables/tasks/main.yml

@ -0,0 +1,69 @@
- name: install iptables
apt:
name: iptables
state: present
update_cache: yes
become: True
- name: use legacy version of iptables
alternatives:
name: "{{ item }}"
path: "/usr/sbin/{{ item }}-legacy"
with_items:
- iptables
- ip6tables
become: True
- name: flush all the iptables rules
iptables:
flush: true
become: True
- name: firewall rule - allow incoming loopback traffic
iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
become: True
- name: firewall rule - allow outgoing loopback traffic
iptables:
chain: OUTPUT
out_interface: lo
jump: ACCEPT
become: True
- name: firewall rule - allow established connections
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
become: True
- name: firewall rule - allow incoming SSH
iptables:
chain: INPUT
protocol: tcp
destination_port: 22
ctstate: NEW,ESTABLISHED
jump: ACCEPT
become: True
- name: firewall rule - allow outgoing SSH
iptables:
chain: OUTPUT
protocol: tcp
source_port: 22
ctstate: ESTABLISHED
jump: ACCEPT
become: True
- name: set the policy for main chains to DROP
iptables:
chain: "{{ item }}"
policy: DROP
with_items:
- INPUT
- FORWARD
- OUTPUT
become: True

10
tests/Vagrantfile

@ -0,0 +1,10 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "debian/buster64"
config.vm.provision "ansible" do |ansible|
ansible.compatibility_mode = "2.0"
ansible.playbook = "test.yml"
end
end

5
tests/test.yml

@ -0,0 +1,5 @@
---
- name: tests for ansible on mornie.org
hosts: all
roles:
- {role: ../roles/iptables}
Loading…
Cancel
Save