ff

roles/configure/tasks/iptables.yaml

@@ -26,128 +26,128 @@
     - { chain: FORWARD }
   tags: 
   - flush
-- name: Allow outgoing connections on LAN all
+# - name: Allow outgoing connections on LAN all
-  iptables:
+#   iptables:
-    chain: OUTPUT
+#     chain: OUTPUT
-    out_interface: "{{ item }}"
+#     out_interface: "{{ item }}"
-    jump: ACCEPT
+#     jump: ACCEPT
-  loop: "{{ without_lte.stdout_lines }}"
+#   loop: "{{ without_lte.stdout_lines }}"
 
-- name: Allow loopback traffic
+# - name: Allow loopback traffic
-  iptables:
+#   iptables:
-    chain: INPUT
+#     chain: INPUT
-    protocol: all
+#     protocol: all
-    jump: ACCEPT
+#     jump: ACCEPT
-    in_interface: lo
+#     in_interface: lo
     
-- name: Allow loopback traffic for OUTPUT
+# - name: Allow loopback traffic for OUTPUT
-  iptables:
+#   iptables:
-    chain: OUTPUT
+#     chain: OUTPUT
-    protocol: all
+#     protocol: all
-    jump: ACCEPT
+#     jump: ACCEPT
-    out_interface: lo
+#     out_interface: lo
 
-- name: Allow ICMP echo-reply
+# - name: Allow ICMP echo-reply
-  ansible.builtin.iptables:
+#   ansible.builtin.iptables:
-    chain: INPUT
+#     chain: INPUT
-    protocol: icmp
+#     protocol: icmp
-    icmp_type: echo-reply  # Разрешаем ответы на ping
+#     icmp_type: echo-reply  # Разрешаем ответы на ping
-    jump: ACCEPT
+#     jump: ACCEPT
-    comment: Allow ICMP echo-reply
+#     comment: Allow ICMP echo-reply
-    state: present
+#     state: present
     
-- name: Allow specific ICMP types
+# - name: Allow specific ICMP types
-  ansible.builtin.iptables:
+#   ansible.builtin.iptables:
-    chain: INPUT
+#     chain: INPUT
-    protocol: icmp
+#     protocol: icmp
-    jump: ACCEPT
+#     jump: ACCEPT
-    icmp_type: "{{ item }}"
+#     icmp_type: "{{ item }}"
-    comment: "Allow ICMP {{ item }}"
+#     comment: "Allow ICMP {{ item }}"
-  loop:
+#   loop:
-    - destination-unreachable
+#     - destination-unreachable
-    - time-exceeded
+#     - time-exceeded
     
-- name: Allow ICMP echo-request
+# - name: Allow ICMP echo-request
-  ansible.builtin.iptables:
+#   ansible.builtin.iptables:
-    chain: INPUT
+#     chain: INPUT
-    protocol: icmp
+#     protocol: icmp
-    icmp_type: echo-request  # Разрешаем запросы ping
+#     icmp_type: echo-request  # Разрешаем запросы ping
-    jump: ACCEPT
+#     jump: ACCEPT
-    comment: Allow ICMP echo-request
+#     comment: Allow ICMP echo-request
-    state: present
+#     state: present
 
-- name: Allow established and related connections
+# - name: Allow established and related connections
-  iptables:
+#   iptables:
-    chain: "{{ item }}"
+#     chain: "{{ item }}"
-    protocol: all
+#     protocol: all
-    jump: ACCEPT
+#     jump: ACCEPT
-    ctstate:
+#     ctstate:
-      - ESTABLISHED
+#       - ESTABLISHED
-      - RELATED
+#       - RELATED
-    action: insert
+#     action: insert
-    rule_num: 1
+#     rule_num: 1
-  loop:
+#   loop:
-    - INPUT
+#     - INPUT
-    - OUTPUT
+#     - OUTPUT
-    - FORWARD
+#     - FORWARD
   
 
-- name: Drop invalid packets on INPUT
+# - name: Drop invalid packets on INPUT
-  iptables:
+#   iptables:
-    chain: INPUT
+#     chain: INPUT
-    jump: DROP
+#     jump: DROP
-    match: state
+#     match: state
-    ctstate: INVALID
+#     ctstate: INVALID
-    state: present
+#     state: present
-    action: insert
+#     action: insert
-    rule_num: 1
+#     rule_num: 1
-- name: Drop invalid packets on FORWARD
+# - name: Drop invalid packets on FORWARD
-  iptables:
+#   iptables:
-    chain: FORWARD
+#     chain: FORWARD
-    jump: DROP
+#     jump: DROP
-    match: state
+#     match: state
-    ctstate: INVALID
+#     ctstate: INVALID
-    state: present
+#     state: present
-    action: insert
+#     action: insert
-    rule_num: 1
+#     rule_num: 1
 
-- name: Drop non-SYN packets for new TCP connections in INPUT chain
+# - name: Drop non-SYN packets for new TCP connections in INPUT chain
-  iptables:
+#   iptables:
-    chain: INPUT
+#     chain: INPUT
-    protocol: tcp
+#     protocol: tcp
-    jump: DROP
+#     jump: DROP
-    match: conntrack
+#     match: conntrack
-    ctstate: NEW
+#     ctstate: NEW
-    syn: negate  # Это эквивалентно '! --syn'
+#     syn: negate  # Это эквивалентно '! --syn'
 
-- name: Drop non-SYN packets for new TCP connections in OUTPUT chain
+# - name: Drop non-SYN packets for new TCP connections in OUTPUT chain
-  iptables:
+#   iptables:
-    chain: OUTPUT
+#     chain: OUTPUT
-    protocol: tcp
+#     protocol: tcp
-    jump: DROP
+#     jump: DROP
-    match: conntrack
+#     match: conntrack
-    ctstate: NEW
+#     ctstate: NEW
-    syn: negate  # Это эквивалентно '! --syn'
+#     syn: negate  # Это эквивалентно '! --syn'
     
-- name: Allow TCP MSS clamping
+# - name: Allow TCP MSS clamping
-  command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+#   command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
 
-- name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
+# - name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
-  iptables:
+#   iptables:
-    chain: FORWARD
+#     chain: FORWARD
-    in_interface: "{{ wifi_int.stdout }}"
+#     in_interface: "{{ wifi_int.stdout }}"
-    out_interface: "{{ lte_int.stdout }}"
+#     out_interface: "{{ lte_int.stdout }}"
-    jump: ACCEPT
+#     jump: ACCEPT
-    action: insert
+#     action: insert
-    rule_num: 3 
+#     rule_num: 3 
 
-- name: Enable masquerading for {{ lte_int.stdout }}
+# - name: Enable masquerading for {{ lte_int.stdout }}
-  iptables:
+#   iptables:
-    chain: POSTROUTING
+#     chain: POSTROUTING
-    jump: MASQUERADE
+#     jump: MASQUERADE
-    table: nat
+#     table: nat
-    out_interface: "{{ lte_int.stdout }}"
+#     out_interface: "{{ lte_int.stdout }}"
 
-- name: Save iptables rules
+# - name: Save iptables rules
-  command: iptables-save -f /etc/iptables/iptables.rules
+#   command: iptables-save -f /etc/iptables/iptables.rules