---

# Should iptables be managed
iptables_manage: yes

# Default rules
iptables_default_head: |
  -P INPUT DROP
  -P FORWARD DROP
  -P OUTPUT ACCEPT
  -N LOGDENY
  -A LOGDENY -m limit --limit 10/s -j LOG --log-prefix 'Firewall: '
  -A LOGDENY -j REJECT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m state --state INVALID -j DROP
  -A INPUT -i lo -j ACCEPT
  -A INPUT -m state --state NEW -p tcp --dport 22 -s {{ trusted_ip | default(['0.0.0.0/0']) | join(',') }} -j ACCEPT
  -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -m state --state INVALID -j DROP

iptables_default_tail: |
  -A INPUT -j LOGDENY
  -A FORWARD -j LOGDENY

iptables_custom_rules: []
# Example:
# iptables_custom_rules:
#   - name: open_port_12345 # 'iptables_custom_rules_' will be prepended to this
#     rules: "-A INPUT -p tcp --dport 12345 -j ACCEPT"
#     state: present
#     weight: 40
#     ipversion: 4
#     table: filter
#
# NOTE: 'name', 'rules' and 'state' are required, others are optional.

# By default this role deletes all iptables rules which are not managed by Ansible.
# Set this to 'yes', if you want the role to keep unmanaged rules.
iptables_keep_unmanaged: no

...