Replace IPv4 firewall template usage with inline rule definition

firewall-iptables.yml

@@ -9,10 +9,35 @@
     firewall_udp_ports: [ ]            # e.g. [53]
 
   tasks:
-    - name: Render IPv4 firewall rules from template
-      ansible.builtin.template:
-        src: iptables/rules.v4.j2
+    - name: Generate IPv4 firewall rules
+      ansible.builtin.copy:
         dest: /etc/iptables/rules.v4
+        content: |
+          *filter
+          :INPUT DROP [0:0]
+          :FORWARD DROP [0:0]
+          :OUTPUT ACCEPT [0:0]
+          
+          # Always allow loopback
+          -A INPUT -i lo -j ACCEPT
+          
+          # Accept already established/related
+          -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+          
+          # Drop invalid early
+          -A INPUT -m conntrack --ctstate INVALID -j DROP
+          
+          # Allow TCP ports
+          {% for p in firewall_tcp_ports | default([]) -%}
+          -A INPUT -p tcp --dport {{ p }} -j ACCEPT
+          {% endfor -%}
+          
+          # Allow UDP ports
+          {% for p in firewall_udp_ports | default([]) -%}
+          -A INPUT -p udp --dport {{ p }} -j ACCEPT
+          {% endfor -%}
+          
+          COMMIT
         owner: root
         group: root
         mode: '0644'