- name: Iptables flush
  ansible.builtin.iptables:
    table: "{{ item.table }}"
    chain: "{{ item.chain }}"
    flush: yes
  loop:
    - { table: filter, chain: INPUT }
    - { table: filter, chain: FORWARD }
    - { table: filter, chain: OUTPUT }
    - { table: nat, chain: PREROUTING }
    - { table: nat, chain: POSTROUTING }
    - { table: nat, chain: INPUT }
    - { table: nat, chain: OUTPUT }
    - { table: mangle, chain: PREROUTING }
    - { table: mangle, chain: FORWARD }
    - { table: mangle, chain: OUTPUT }
  tags: 
  - flush
- name: Set default policies
  iptables:
    chain: "{{ item.chain }}"
    policy: ACCEPT
  loop:
    - { chain: INPUT }
    - { chain: OUTPUT }
    - { chain: FORWARD }
  tags: 
  - flush
- name: Allow outgoing connections on LAN all
  iptables:
    chain: OUTPUT
    out_interface: "{{ item }}"
    jump: ACCEPT
  loop: "{{ without_lte.stdout_lines }}"

- name: Allow outgoing connections on LAN all
  iptables:
    chain: OUTPUT
    out_interface: br0
    jump: ACCEPT

- name: Allow loopback traffic
  iptables:
    chain: INPUT
    protocol: all
    jump: ACCEPT
    in_interface: lo
    
- name: Allow loopback traffic for OUTPUT
  iptables:
    chain: OUTPUT
    protocol: all
    jump: ACCEPT
    out_interface: lo

- name: Allow ICMP echo-reply
  ansible.builtin.iptables:
    chain: INPUT
    protocol: icmp
    icmp_type: echo-reply  # Разрешаем ответы на ping
    jump: ACCEPT
    comment: Allow ICMP echo-reply
    state: present
    
- name: Allow specific ICMP types
  ansible.builtin.iptables:
    chain: INPUT
    protocol: icmp
    jump: ACCEPT
    icmp_type: "{{ item }}"
    comment: "Allow ICMP {{ item }}"
  loop:
    - destination-unreachable
    - time-exceeded
    
- name: Allow ICMP echo-request
  ansible.builtin.iptables:
    chain: INPUT
    protocol: icmp
    icmp_type: echo-request  # Разрешаем запросы ping
    jump: ACCEPT
    comment: Allow ICMP echo-request
    state: present

- name: Allow established and related connections
  iptables:
    chain: "{{ item }}"
    protocol: all
    jump: ACCEPT
    ctstate:
      - ESTABLISHED
      - RELATED
    action: insert
    rule_num: 1
  loop:
    - INPUT
    - OUTPUT
    - FORWARD
  

- name: Drop invalid packets on INPUT
  iptables:
    chain: INPUT
    jump: DROP
    match: state
    ctstate: INVALID
    state: present
    action: insert
    rule_num: 1
- name: Drop invalid packets on FORWARD
  iptables:
    chain: FORWARD
    jump: DROP
    match: state
    ctstate: INVALID
    state: present
    action: insert
    rule_num: 1

- name: Drop non-SYN packets for new TCP connections in INPUT chain
  iptables:
    chain: INPUT
    protocol: tcp
    jump: DROP
    match: conntrack
    ctstate: NEW
    syn: negate  # Это эквивалентно '! --syn'

- name: Drop non-SYN packets for new TCP connections in OUTPUT chain
  iptables:
    chain: OUTPUT
    protocol: tcp
    jump: DROP
    match: conntrack
    ctstate: NEW
    syn: negate  # Это эквивалентно '! --syn'
    
- name: Allow TCP MSS clamping
  command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


- name: Allow traffic from br0 to {{ lte_int.stdout }}
  iptables:
    chain: FORWARD
    in_interface: br0
    out_interface: "{{ lte_int.stdout }}"
    jump: ACCEPT
    action: insert
    rule_num: 3 

- name: Enable masquerading for {{ lte_int.stdout }}
  iptables:
    chain: POSTROUTING
    jump: MASQUERADE
    table: nat
    out_interface: "{{ lte_int.stdout }}"

- name: Save iptables rules
  command: iptables-save -f /etc/iptables/iptables.rules