From 20e275011b4b6c0811591455dc9884a72f93c3a5 Mon Sep 17 00:00:00 2001
From: Thatsaphorn Atchariyaphap <thatsaphorn@outlook.de>
Date: Fri, 19 Sep 2025 21:26:06 +0200
Subject: [PATCH] Replace IPv4 firewall template usage with inline rule
 definition

---
 firewall-iptables.yml | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/firewall-iptables.yml b/firewall-iptables.yml
index 20d828e..959aadc 100644
--- a/firewall-iptables.yml
+++ b/firewall-iptables.yml
@@ -9,10 +9,35 @@
     firewall_udp_ports: [ ]            # e.g. [53]
 
   tasks:
-    - name: Render IPv4 firewall rules from template
-      ansible.builtin.template:
-        src: iptables/rules.v4.j2
+    - name: Generate IPv4 firewall rules
+      ansible.builtin.copy:
         dest: /etc/iptables/rules.v4
+        content: |
+          *filter
+          :INPUT DROP [0:0]
+          :FORWARD DROP [0:0]
+          :OUTPUT ACCEPT [0:0]
+          
+          # Always allow loopback
+          -A INPUT -i lo -j ACCEPT
+          
+          # Accept already established/related
+          -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+          
+          # Drop invalid early
+          -A INPUT -m conntrack --ctstate INVALID -j DROP
+          
+          # Allow TCP ports
+          {% for p in firewall_tcp_ports | default([]) -%}
+          -A INPUT -p tcp --dport {{ p }} -j ACCEPT
+          {% endfor -%}
+          
+          # Allow UDP ports
+          {% for p in firewall_udp_ports | default([]) -%}
+          -A INPUT -p udp --dport {{ p }} -j ACCEPT
+          {% endfor -%}
+          
+          COMMIT
         owner: root
         group: root
         mode: '0644'