159 lines
3.8 KiB
YAML
159 lines
3.8 KiB
YAML
- name: Iptables flush
|
|
ansible.builtin.iptables:
|
|
table: "{{ item.table }}"
|
|
chain: "{{ item.chain }}"
|
|
flush: yes
|
|
loop:
|
|
- { table: filter, chain: INPUT }
|
|
- { table: filter, chain: FORWARD }
|
|
- { table: filter, chain: OUTPUT }
|
|
- { table: nat, chain: PREROUTING }
|
|
- { table: nat, chain: POSTROUTING }
|
|
- { table: nat, chain: INPUT }
|
|
- { table: nat, chain: OUTPUT }
|
|
- { table: mangle, chain: PREROUTING }
|
|
- { table: mangle, chain: FORWARD }
|
|
- { table: mangle, chain: OUTPUT }
|
|
tags:
|
|
- flush
|
|
# - name: Set default policies
|
|
# iptables:
|
|
# chain: "{{ item.chain }}"
|
|
# policy: ACCEPT
|
|
# loop:
|
|
# - { chain: INPUT }
|
|
# - { chain: OUTPUT }
|
|
# - { chain: FORWARD }
|
|
# tags:
|
|
# - flush
|
|
# - name: Allow outgoing connections on LAN all
|
|
# iptables:
|
|
# chain: OUTPUT
|
|
# out_interface: "{{ item }}"
|
|
# jump: ACCEPT
|
|
# loop: "{{ without_lte.stdout_lines }}"
|
|
|
|
# - name: Allow outgoing connections on LAN all
|
|
# iptables:
|
|
# chain: OUTPUT
|
|
# out_interface: br0
|
|
# jump: ACCEPT
|
|
|
|
# - name: Allow loopback traffic
|
|
# iptables:
|
|
# chain: INPUT
|
|
# protocol: all
|
|
# jump: ACCEPT
|
|
# in_interface: lo
|
|
|
|
# - name: Allow loopback traffic for OUTPUT
|
|
# iptables:
|
|
# chain: OUTPUT
|
|
# protocol: all
|
|
# jump: ACCEPT
|
|
# out_interface: lo
|
|
|
|
# - name: Allow ICMP echo-reply
|
|
# ansible.builtin.iptables:
|
|
# chain: INPUT
|
|
# protocol: icmp
|
|
# icmp_type: echo-reply # Разрешаем ответы на ping
|
|
# jump: ACCEPT
|
|
# comment: Allow ICMP echo-reply
|
|
# state: present
|
|
|
|
# - name: Allow specific ICMP types
|
|
# ansible.builtin.iptables:
|
|
# chain: INPUT
|
|
# protocol: icmp
|
|
# jump: ACCEPT
|
|
# icmp_type: "{{ item }}"
|
|
# comment: "Allow ICMP {{ item }}"
|
|
# loop:
|
|
# - destination-unreachable
|
|
# - time-exceeded
|
|
|
|
# - name: Allow ICMP echo-request
|
|
# ansible.builtin.iptables:
|
|
# chain: INPUT
|
|
# protocol: icmp
|
|
# icmp_type: echo-request # Разрешаем запросы ping
|
|
# jump: ACCEPT
|
|
# comment: Allow ICMP echo-request
|
|
# state: present
|
|
|
|
# - name: Allow established and related connections
|
|
# iptables:
|
|
# chain: "{{ item }}"
|
|
# protocol: all
|
|
# jump: ACCEPT
|
|
# ctstate:
|
|
# - ESTABLISHED
|
|
# - RELATED
|
|
# action: insert
|
|
# rule_num: 1
|
|
# loop:
|
|
# - INPUT
|
|
# - OUTPUT
|
|
# - FORWARD
|
|
|
|
|
|
# - name: Drop invalid packets on INPUT
|
|
# iptables:
|
|
# chain: INPUT
|
|
# jump: DROP
|
|
# match: state
|
|
# ctstate: INVALID
|
|
# state: present
|
|
# action: insert
|
|
# rule_num: 1
|
|
# - name: Drop invalid packets on FORWARD
|
|
# iptables:
|
|
# chain: FORWARD
|
|
# jump: DROP
|
|
# match: state
|
|
# ctstate: INVALID
|
|
# state: present
|
|
# action: insert
|
|
# rule_num: 1
|
|
|
|
# - name: Drop non-SYN packets for new TCP connections in INPUT chain
|
|
# iptables:
|
|
# chain: INPUT
|
|
# protocol: tcp
|
|
# jump: DROP
|
|
# match: conntrack
|
|
# ctstate: NEW
|
|
# syn: negate # Это эквивалентно '! --syn'
|
|
|
|
# - name: Drop non-SYN packets for new TCP connections in OUTPUT chain
|
|
# iptables:
|
|
# chain: OUTPUT
|
|
# protocol: tcp
|
|
# jump: DROP
|
|
# match: conntrack
|
|
# ctstate: NEW
|
|
# syn: negate # Это эквивалентно '! --syn'
|
|
|
|
# - name: Allow TCP MSS clamping
|
|
# command: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
|
|
|
|
- name: Allow traffic from br0 to {{ lte_int.stdout }}
|
|
iptables:
|
|
chain: FORWARD
|
|
# in_interface: br0
|
|
out_interface: "{{ lte_int.stdout }}"
|
|
jump: ACCEPT
|
|
action: insert
|
|
rule_num: 3
|
|
|
|
- name: Enable masquerading for {{ lte_int.stdout }}
|
|
iptables:
|
|
chain: POSTROUTING
|
|
jump: MASQUERADE
|
|
table: nat
|
|
out_interface: "{{ lte_int.stdout }}"
|
|
|
|
- name: Save iptables rules
|
|
command: iptables-save -f /etc/iptables/iptables.rules |