- name: Iptables flush
  ansible.builtin.iptables:
    table: "{{ item.table }}"
    chain: "{{ item.chain }}"
    flush: yes
  loop:
    - { table: filter, chain: INPUT }
    - { table: filter, chain: FORWARD }
    - { table: filter, chain: OUTPUT }
    - { table: nat, chain: PREROUTING }
    - { table: nat, chain: POSTROUTING }
    - { table: nat, chain: INPUT }
    - { table: nat, chain: OUTPUT }
    - { table: mangle, chain: PREROUTING }
    - { table: mangle, chain: FORWARD }
    - { table: mangle, chain: OUTPUT }
  tags: 
  - flush
# - name: Set default policies
#   iptables:
#     chain: "{{ item.chain }}"
#     policy: ACCEPT
#   loop:
#     - { chain: INPUT }
#     - { chain: OUTPUT }
#     - { chain: FORWARD }
#   tags: 
#   - flush
# - name: Allow outgoing connections on LAN all
#   iptables:
#     chain: OUTPUT
#     out_interface: "{{ item }}"
#     jump: ACCEPT
#   loop: "{{ without_lte.stdout_lines }}"

# - name: Allow outgoing connections on LAN all
#   iptables:
#     chain: OUTPUT
#     out_interface: br0
#     jump: ACCEPT

# - name: Allow loopback traffic
#   iptables:
#     chain: INPUT
#     protocol: all
#     jump: ACCEPT
#     in_interface: lo
    
# - name: Allow loopback traffic for OUTPUT
#   iptables:
#     chain: OUTPUT
#     protocol: all
#     jump: ACCEPT
#     out_interface: lo

# - name: Allow ICMP echo-reply
#   ansible.builtin.iptables:
#     chain: INPUT
#     protocol: icmp
#     icmp_type: echo-reply  # Разрешаем ответы на ping
#     jump: ACCEPT
#     comment: Allow ICMP echo-reply
#     state: present
    
# - name: Allow specific ICMP types
#   ansible.builtin.iptables:
#     chain: INPUT
#     protocol: icmp
#     jump: ACCEPT
#     icmp_type: "{{ item }}"
#     comment: "Allow ICMP {{ item }}"
#   loop:
#     - destination-unreachable
#     - time-exceeded
    
# - name: Allow ICMP echo-request
#   ansible.builtin.iptables:
#     chain: INPUT
#     protocol: icmp
#     icmp_type: echo-request  # Разрешаем запросы ping
#     jump: ACCEPT
#     comment: Allow ICMP echo-request
#     state: present

# - name: Allow established and related connections
#   iptables:
#     chain: "{{ item }}"
#     protocol: all
#     jump: ACCEPT
#     ctstate:
#       - ESTABLISHED
#       - RELATED
#     action: insert
#     rule_num: 1
#   loop:
#     - INPUT
#     - OUTPUT
#     - FORWARD
  

# - name: Drop invalid packets on INPUT
#   iptables:
#     chain: INPUT
#     jump: DROP
#     match: state
#     ctstate: INVALID
#     state: present
#     action: insert
#     rule_num: 1
# - name: Drop invalid packets on FORWARD
#   iptables:
#     chain: FORWARD
#     jump: DROP
#     match: state
#     ctstate: INVALID
#     state: present
#     action: insert
#     rule_num: 1

# - name: Drop non-SYN packets for new TCP connections in INPUT chain
#   iptables:
#     chain: INPUT
#     protocol: tcp
#     jump: DROP
#     match: conntrack
#     ctstate: NEW
#     syn: negate  # Это эквивалентно '! --syn'

# - name: Drop non-SYN packets for new TCP connections in OUTPUT chain
#   iptables:
#     chain: OUTPUT
#     protocol: tcp
#     jump: DROP
#     match: conntrack
#     ctstate: NEW
#     syn: negate  # Это эквивалентно '! --syn'
    
# - name: Allow TCP MSS clamping
#   command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


- name: Allow traffic from br0 to {{ lte_int.stdout }}
  iptables:
    chain: FORWARD
    # in_interface: br0
    out_interface: "{{ lte_int.stdout }}"
    jump: ACCEPT
    action: insert
    rule_num: 3 

- name: Enable masquerading for {{ lte_int.stdout }}
  iptables:
    chain: POSTROUTING
    jump: MASQUERADE
    table: nat
    out_interface: "{{ lte_int.stdout }}"

- name: Save iptables rules
  command: iptables-save -f /etc/iptables/iptables.rules