153 lines
3.5 KiB
YAML
153 lines
3.5 KiB
YAML
- name: Iptables flush
|
|
ansible.builtin.iptables:
|
|
table: "{{ item.table }}"
|
|
chain: "{{ item.chain }}"
|
|
flush: yes
|
|
loop:
|
|
- { table: filter, chain: INPUT }
|
|
- { table: filter, chain: FORWARD }
|
|
- { table: filter, chain: OUTPUT }
|
|
- { table: nat, chain: PREROUTING }
|
|
- { table: nat, chain: POSTROUTING }
|
|
- { table: nat, chain: INPUT }
|
|
- { table: nat, chain: OUTPUT }
|
|
- { table: mangle, chain: PREROUTING }
|
|
- { table: mangle, chain: FORWARD }
|
|
- { table: mangle, chain: OUTPUT }
|
|
tags:
|
|
- flush
|
|
- name: Set default policies
|
|
iptables:
|
|
chain: "{{ item.chain }}"
|
|
policy: ACCEPT
|
|
loop:
|
|
- { chain: INPUT }
|
|
- { chain: OUTPUT }
|
|
- { chain: FORWARD }
|
|
tags:
|
|
- flush
|
|
- name: Allow outgoing connections on LAN all
|
|
iptables:
|
|
chain: OUTPUT
|
|
out_interface: "{{ item }}"
|
|
jump: ACCEPT
|
|
loop: "{{ without_lte.stdout_lines }}"
|
|
|
|
- name: Allow loopback traffic
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: all
|
|
jump: ACCEPT
|
|
in_interface: lo
|
|
|
|
- name: Allow loopback traffic for OUTPUT
|
|
iptables:
|
|
chain: OUTPUT
|
|
protocol: all
|
|
jump: ACCEPT
|
|
out_interface: lo
|
|
|
|
- name: Allow ICMP echo-reply
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: icmp
|
|
icmp_type: echo-reply # Разрешаем ответы на ping
|
|
jump: ACCEPT
|
|
comment: Allow ICMP echo-reply
|
|
state: present
|
|
|
|
- name: Allow specific ICMP types
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: icmp
|
|
jump: ACCEPT
|
|
icmp_type: "{{ item }}"
|
|
comment: "Allow ICMP {{ item }}"
|
|
loop:
|
|
- destination-unreachable
|
|
- time-exceeded
|
|
|
|
- name: Allow ICMP echo-request
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: icmp
|
|
icmp_type: echo-request # Разрешаем запросы ping
|
|
jump: ACCEPT
|
|
comment: Allow ICMP echo-request
|
|
state: present
|
|
|
|
- name: Allow established and related connections
|
|
iptables:
|
|
chain: "{{ item }}"
|
|
protocol: all
|
|
jump: ACCEPT
|
|
ctstate:
|
|
- ESTABLISHED
|
|
- RELATED
|
|
action: insert
|
|
rule_num: 1
|
|
loop:
|
|
- INPUT
|
|
- OUTPUT
|
|
- FORWARD
|
|
|
|
|
|
- name: Drop invalid packets on INPUT
|
|
iptables:
|
|
chain: INPUT
|
|
jump: DROP
|
|
match: state
|
|
ctstate: INVALID
|
|
state: present
|
|
action: insert
|
|
rule_num: 1
|
|
- name: Drop invalid packets on FORWARD
|
|
iptables:
|
|
chain: FORWARD
|
|
jump: DROP
|
|
match: state
|
|
ctstate: INVALID
|
|
state: present
|
|
action: insert
|
|
rule_num: 1
|
|
|
|
- name: Drop non-SYN packets for new TCP connections in INPUT chain
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
jump: DROP
|
|
match: conntrack
|
|
ctstate: NEW
|
|
syn: negate # Это эквивалентно '! --syn'
|
|
|
|
- name: Drop non-SYN packets for new TCP connections in OUTPUT chain
|
|
iptables:
|
|
chain: OUTPUT
|
|
protocol: tcp
|
|
jump: DROP
|
|
match: conntrack
|
|
ctstate: NEW
|
|
syn: negate # Это эквивалентно '! --syn'
|
|
|
|
- name: Allow TCP MSS clamping
|
|
command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
|
|
|
|
- name: Allow traffic from {{ wifi_int.stdout }} to {{ lte_int.stdout }}
|
|
iptables:
|
|
chain: FORWARD
|
|
in_interface: "{{ wifi_int.stdout }}"
|
|
out_interface: "{{ lte_int.stdout }}"
|
|
jump: ACCEPT
|
|
action: insert
|
|
rule_num: 4
|
|
|
|
- name: Enable masquerading for {{ lte_int.stdout }}
|
|
iptables:
|
|
chain: POSTROUTING
|
|
jump: MASQUERADE
|
|
table: nat
|
|
out_interface: "{{ lte_int.stdout }}"
|
|
|
|
- name: Save iptables rules
|
|
command: iptables-save -f /etc/iptables/iptables.rules |