ff

2024-09-07 10:26:33 +03:00
parent 56b506550f
commit 551da1ffe5
1 changed files with 110 additions and 110 deletions
--- a/roles/configure/tasks/iptables.yaml
+++ b/roles/configure/tasks/iptables.yaml
@@ -16,133 +16,133 @@
    - { table: mangle, chain: OUTPUT }
  tags: 
  - flush
- name: Set default policies
-  iptables:
-    chain: "{{ item.chain }}"
-    policy: ACCEPT
-  loop:
-    - { chain: INPUT }
-    - { chain: OUTPUT }
-    - { chain: FORWARD }
-  tags: 
-  - flush
- name: Allow outgoing connections on LAN all
-  iptables:
-    chain: OUTPUT
-    out_interface: "{{ item }}"
-    jump: ACCEPT
-  loop: "{{ without_lte.stdout_lines }}"
+# - name: Set default policies
+#   iptables:
+#     chain: "{{ item.chain }}"
+#     policy: ACCEPT
+#   loop:
+#     - { chain: INPUT }
+#     - { chain: OUTPUT }
+#     - { chain: FORWARD }
+#   tags: 
+#   - flush
+# - name: Allow outgoing connections on LAN all
+#   iptables:
+#     chain: OUTPUT
+#     out_interface: "{{ item }}"
+#     jump: ACCEPT
+#   loop: "{{ without_lte.stdout_lines }}"

- name: Allow outgoing connections on LAN all
-  iptables:
-    chain: OUTPUT
-    out_interface: br0
-    jump: ACCEPT
+# - name: Allow outgoing connections on LAN all
+#   iptables:
+#     chain: OUTPUT
+#     out_interface: br0
+#     jump: ACCEPT

- name: Allow loopback traffic
-  iptables:
-    chain: INPUT
-    protocol: all
-    jump: ACCEPT
-    in_interface: lo
+# - name: Allow loopback traffic
+#   iptables:
+#     chain: INPUT
+#     protocol: all
+#     jump: ACCEPT
+#     in_interface: lo
    
- name: Allow loopback traffic for OUTPUT
-  iptables:
-    chain: OUTPUT
-    protocol: all
-    jump: ACCEPT
-    out_interface: lo
+# - name: Allow loopback traffic for OUTPUT
+#   iptables:
+#     chain: OUTPUT
+#     protocol: all
+#     jump: ACCEPT
+#     out_interface: lo

- name: Allow ICMP echo-reply
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: icmp
-    icmp_type: echo-reply  # Разрешаем ответы на ping
-    jump: ACCEPT
-    comment: Allow ICMP echo-reply
-    state: present
+# - name: Allow ICMP echo-reply
+#   ansible.builtin.iptables:
+#     chain: INPUT
+#     protocol: icmp
+#     icmp_type: echo-reply  # Разрешаем ответы на ping
+#     jump: ACCEPT
+#     comment: Allow ICMP echo-reply
+#     state: present
    
- name: Allow specific ICMP types
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: icmp
-    jump: ACCEPT
-    icmp_type: "{{ item }}"
-    comment: "Allow ICMP {{ item }}"
-  loop:
-    - destination-unreachable
-    - time-exceeded
+# - name: Allow specific ICMP types
+#   ansible.builtin.iptables:
+#     chain: INPUT
+#     protocol: icmp
+#     jump: ACCEPT
+#     icmp_type: "{{ item }}"
+#     comment: "Allow ICMP {{ item }}"
+#   loop:
+#     - destination-unreachable
+#     - time-exceeded
    
- name: Allow ICMP echo-request
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: icmp
-    icmp_type: echo-request  # Разрешаем запросы ping
-    jump: ACCEPT
-    comment: Allow ICMP echo-request
-    state: present
+# - name: Allow ICMP echo-request
+#   ansible.builtin.iptables:
+#     chain: INPUT
+#     protocol: icmp
+#     icmp_type: echo-request  # Разрешаем запросы ping
+#     jump: ACCEPT
+#     comment: Allow ICMP echo-request
+#     state: present

- name: Allow established and related connections
-  iptables:
-    chain: "{{ item }}"
-    protocol: all
-    jump: ACCEPT
-    ctstate:
-      - ESTABLISHED
-      - RELATED
-    action: insert
-    rule_num: 1
-  loop:
-    - INPUT
-    - OUTPUT
-    - FORWARD
+# - name: Allow established and related connections
+#   iptables:
+#     chain: "{{ item }}"
+#     protocol: all
+#     jump: ACCEPT
+#     ctstate:
+#       - ESTABLISHED
+#       - RELATED
+#     action: insert
+#     rule_num: 1
+#   loop:
+#     - INPUT
+#     - OUTPUT
+#     - FORWARD
  

- name: Drop invalid packets on INPUT
-  iptables:
-    chain: INPUT
-    jump: DROP
-    match: state
-    ctstate: INVALID
-    state: present
-    action: insert
-    rule_num: 1
- name: Drop invalid packets on FORWARD
-  iptables:
-    chain: FORWARD
-    jump: DROP
-    match: state
-    ctstate: INVALID
-    state: present
-    action: insert
-    rule_num: 1
+# - name: Drop invalid packets on INPUT
+#   iptables:
+#     chain: INPUT
+#     jump: DROP
+#     match: state
+#     ctstate: INVALID
+#     state: present
+#     action: insert
+#     rule_num: 1
+# - name: Drop invalid packets on FORWARD
+#   iptables:
+#     chain: FORWARD
+#     jump: DROP
+#     match: state
+#     ctstate: INVALID
+#     state: present
+#     action: insert
+#     rule_num: 1

- name: Drop non-SYN packets for new TCP connections in INPUT chain
-  iptables:
-    chain: INPUT
-    protocol: tcp
-    jump: DROP
-    match: conntrack
-    ctstate: NEW
-    syn: negate  # Это эквивалентно '! --syn'
+# - name: Drop non-SYN packets for new TCP connections in INPUT chain
+#   iptables:
+#     chain: INPUT
+#     protocol: tcp
+#     jump: DROP
+#     match: conntrack
+#     ctstate: NEW
+#     syn: negate  # Это эквивалентно '! --syn'

- name: Drop non-SYN packets for new TCP connections in OUTPUT chain
-  iptables:
-    chain: OUTPUT
-    protocol: tcp
-    jump: DROP
-    match: conntrack
-    ctstate: NEW
-    syn: negate  # Это эквивалентно '! --syn'
+# - name: Drop non-SYN packets for new TCP connections in OUTPUT chain
+#   iptables:
+#     chain: OUTPUT
+#     protocol: tcp
+#     jump: DROP
+#     match: conntrack
+#     ctstate: NEW
+#     syn: negate  # Это эквивалентно '! --syn'
    
- name: Allow TCP MSS clamping
-  command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+# - name: Allow TCP MSS clamping
+#   command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


 - name: Allow traffic from br0 to {{ lte_int.stdout }}
  iptables:
    chain: FORWARD
-    in_interface: br0
+    # in_interface: br0
    out_interface: "{{ lte_int.stdout }}"
    jump: ACCEPT
    action: insert