Gitlab-Migration/finlog-ansible
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Replace IPv4 firewall template usage with inline rule definition

Browse Source
This commit is contained in:
Thatsaphorn
2025-09-19 21:26:06 +02:00
parent 356ca08b26
commit 20e275011b
1 changed files with 28 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
firewall-iptables.yml
View File

@@ -9,10 +9,35 @@
firewall_udp_ports: [ ] # e.g. [53] firewall_udp_ports: [ ] # e.g. [53]
tasks: tasks:
- name: Render IPv4 firewall rules from template - name: Generate IPv4 firewall rules
ansible.builtin.template: ansible.builtin.copy:
src: iptables/rules.v4.j2
dest: /etc/iptables/rules.v4 dest: /etc/iptables/rules.v4
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Always allow loopback
-A INPUT -i lo -j ACCEPT
# Accept already established/related
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Drop invalid early
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Allow TCP ports
{% for p in firewall_tcp_ports | default([]) -%}
-A INPUT -p tcp --dport {{ p }} -j ACCEPT
{% endfor -%}
# Allow UDP ports
{% for p in firewall_udp_ports | default([]) -%}
-A INPUT -p udp --dport {{ p }} -j ACCEPT
{% endfor -%}
COMMIT
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'