From 551da1ffe5908e20ed0977fbb1cc39f5a5835e41 Mon Sep 17 00:00:00 2001
From: Aleksandr Malyavin <nuc7ear@gmail.com>
Date: Sat, 7 Sep 2024 10:26:33 +0300
Subject: [PATCH] ff

---
 roles/configure/tasks/iptables.yaml | 220 ++++++++++++++--------------
 1 file changed, 110 insertions(+), 110 deletions(-)

diff --git a/roles/configure/tasks/iptables.yaml b/roles/configure/tasks/iptables.yaml
index 1401117..7d83b75 100644
--- a/roles/configure/tasks/iptables.yaml
+++ b/roles/configure/tasks/iptables.yaml
@@ -16,133 +16,133 @@
     - { table: mangle, chain: OUTPUT }
   tags: 
   - flush
-- name: Set default policies
-  iptables:
-    chain: "{{ item.chain }}"
-    policy: ACCEPT
-  loop:
-    - { chain: INPUT }
-    - { chain: OUTPUT }
-    - { chain: FORWARD }
-  tags: 
-  - flush
-- name: Allow outgoing connections on LAN all
-  iptables:
-    chain: OUTPUT
-    out_interface: "{{ item }}"
-    jump: ACCEPT
-  loop: "{{ without_lte.stdout_lines }}"
+# - name: Set default policies
+#   iptables:
+#     chain: "{{ item.chain }}"
+#     policy: ACCEPT
+#   loop:
+#     - { chain: INPUT }
+#     - { chain: OUTPUT }
+#     - { chain: FORWARD }
+#   tags: 
+#   - flush
+# - name: Allow outgoing connections on LAN all
+#   iptables:
+#     chain: OUTPUT
+#     out_interface: "{{ item }}"
+#     jump: ACCEPT
+#   loop: "{{ without_lte.stdout_lines }}"
 
-- name: Allow outgoing connections on LAN all
-  iptables:
-    chain: OUTPUT
-    out_interface: br0
-    jump: ACCEPT
+# - name: Allow outgoing connections on LAN all
+#   iptables:
+#     chain: OUTPUT
+#     out_interface: br0
+#     jump: ACCEPT
 
-- name: Allow loopback traffic
-  iptables:
-    chain: INPUT
-    protocol: all
-    jump: ACCEPT
-    in_interface: lo
+# - name: Allow loopback traffic
+#   iptables:
+#     chain: INPUT
+#     protocol: all
+#     jump: ACCEPT
+#     in_interface: lo
     
-- name: Allow loopback traffic for OUTPUT
-  iptables:
-    chain: OUTPUT
-    protocol: all
-    jump: ACCEPT
-    out_interface: lo
+# - name: Allow loopback traffic for OUTPUT
+#   iptables:
+#     chain: OUTPUT
+#     protocol: all
+#     jump: ACCEPT
+#     out_interface: lo
 
-- name: Allow ICMP echo-reply
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: icmp
-    icmp_type: echo-reply  # Разрешаем ответы на ping
-    jump: ACCEPT
-    comment: Allow ICMP echo-reply
-    state: present
+# - name: Allow ICMP echo-reply
+#   ansible.builtin.iptables:
+#     chain: INPUT
+#     protocol: icmp
+#     icmp_type: echo-reply  # Разрешаем ответы на ping
+#     jump: ACCEPT
+#     comment: Allow ICMP echo-reply
+#     state: present
     
-- name: Allow specific ICMP types
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: icmp
-    jump: ACCEPT
-    icmp_type: "{{ item }}"
-    comment: "Allow ICMP {{ item }}"
-  loop:
-    - destination-unreachable
-    - time-exceeded
+# - name: Allow specific ICMP types
+#   ansible.builtin.iptables:
+#     chain: INPUT
+#     protocol: icmp
+#     jump: ACCEPT
+#     icmp_type: "{{ item }}"
+#     comment: "Allow ICMP {{ item }}"
+#   loop:
+#     - destination-unreachable
+#     - time-exceeded
     
-- name: Allow ICMP echo-request
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: icmp
-    icmp_type: echo-request  # Разрешаем запросы ping
-    jump: ACCEPT
-    comment: Allow ICMP echo-request
-    state: present
+# - name: Allow ICMP echo-request
+#   ansible.builtin.iptables:
+#     chain: INPUT
+#     protocol: icmp
+#     icmp_type: echo-request  # Разрешаем запросы ping
+#     jump: ACCEPT
+#     comment: Allow ICMP echo-request
+#     state: present
 
-- name: Allow established and related connections
-  iptables:
-    chain: "{{ item }}"
-    protocol: all
-    jump: ACCEPT
-    ctstate:
-      - ESTABLISHED
-      - RELATED
-    action: insert
-    rule_num: 1
-  loop:
-    - INPUT
-    - OUTPUT
-    - FORWARD
+# - name: Allow established and related connections
+#   iptables:
+#     chain: "{{ item }}"
+#     protocol: all
+#     jump: ACCEPT
+#     ctstate:
+#       - ESTABLISHED
+#       - RELATED
+#     action: insert
+#     rule_num: 1
+#   loop:
+#     - INPUT
+#     - OUTPUT
+#     - FORWARD
   
 
-- name: Drop invalid packets on INPUT
-  iptables:
-    chain: INPUT
-    jump: DROP
-    match: state
-    ctstate: INVALID
-    state: present
-    action: insert
-    rule_num: 1
-- name: Drop invalid packets on FORWARD
-  iptables:
-    chain: FORWARD
-    jump: DROP
-    match: state
-    ctstate: INVALID
-    state: present
-    action: insert
-    rule_num: 1
+# - name: Drop invalid packets on INPUT
+#   iptables:
+#     chain: INPUT
+#     jump: DROP
+#     match: state
+#     ctstate: INVALID
+#     state: present
+#     action: insert
+#     rule_num: 1
+# - name: Drop invalid packets on FORWARD
+#   iptables:
+#     chain: FORWARD
+#     jump: DROP
+#     match: state
+#     ctstate: INVALID
+#     state: present
+#     action: insert
+#     rule_num: 1
 
-- name: Drop non-SYN packets for new TCP connections in INPUT chain
-  iptables:
-    chain: INPUT
-    protocol: tcp
-    jump: DROP
-    match: conntrack
-    ctstate: NEW
-    syn: negate  # Это эквивалентно '! --syn'
+# - name: Drop non-SYN packets for new TCP connections in INPUT chain
+#   iptables:
+#     chain: INPUT
+#     protocol: tcp
+#     jump: DROP
+#     match: conntrack
+#     ctstate: NEW
+#     syn: negate  # Это эквивалентно '! --syn'
 
-- name: Drop non-SYN packets for new TCP connections in OUTPUT chain
-  iptables:
-    chain: OUTPUT
-    protocol: tcp
-    jump: DROP
-    match: conntrack
-    ctstate: NEW
-    syn: negate  # Это эквивалентно '! --syn'
+# - name: Drop non-SYN packets for new TCP connections in OUTPUT chain
+#   iptables:
+#     chain: OUTPUT
+#     protocol: tcp
+#     jump: DROP
+#     match: conntrack
+#     ctstate: NEW
+#     syn: negate  # Это эквивалентно '! --syn'
     
-- name: Allow TCP MSS clamping
-  command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+# - name: Allow TCP MSS clamping
+#   command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
 
 - name: Allow traffic from br0 to {{ lte_int.stdout }}
   iptables:
     chain: FORWARD
-    in_interface: br0
+    # in_interface: br0
     out_interface: "{{ lte_int.stdout }}"
     jump: ACCEPT
     action: insert