43 lines
1.2 KiB
YAML
43 lines
1.2 KiB
YAML
---
|
|
|
|
# Should iptables be managed
|
|
iptables_manage: yes
|
|
|
|
# Default rules
|
|
iptables_default_head: |
|
|
-P INPUT DROP
|
|
-P FORWARD DROP
|
|
-P OUTPUT ACCEPT
|
|
-N LOGDENY
|
|
-A LOGDENY -m limit --limit 10/s -j LOG --log-prefix 'Firewall: '
|
|
-A LOGDENY -j REJECT
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -m state --state INVALID -j DROP
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -m state --state NEW -p tcp --dport 22 -s {{ trusted_ip | default(['0.0.0.0/0']) | join(',') }} -j ACCEPT
|
|
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
|
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -m state --state INVALID -j DROP
|
|
|
|
iptables_default_tail: |
|
|
-A INPUT -j LOGDENY
|
|
-A FORWARD -j LOGDENY
|
|
|
|
iptables_custom_rules: []
|
|
# Example:
|
|
# iptables_custom_rules:
|
|
# - name: open_port_12345 # 'iptables_custom_rules_' will be prepended to this
|
|
# rules: "-A INPUT -p tcp --dport 12345 -j ACCEPT"
|
|
# state: present
|
|
# weight: 40
|
|
# ipversion: 4
|
|
# table: filter
|
|
#
|
|
# NOTE: 'name', 'rules' and 'state' are required, others are optional.
|
|
|
|
# By default this role deletes all iptables rules which are not managed by Ansible.
|
|
# Set this to 'yes', if you want the role to keep unmanaged rules.
|
|
iptables_keep_unmanaged: no
|
|
|
|
...
|