---
- name: Configure IPv4 firewall via iptables
  hosts: finlog_dev
  become: true
  gather_facts: false

  vars:
    firewall_tcp_ports: [ 22, 80, 443 ] # extend as needed
    firewall_udp_ports: [ ]            # e.g. [53]

  tasks:
    - name: Render IPv4 firewall rules from template
      ansible.builtin.template:
        src: iptables/rules.v4.j2
        dest: /etc/iptables/rules.v4
        owner: root
        group: root
        mode: '0644'
      when: not ansible_check_mode

    - name: Restore rules now
      ansible.builtin.shell: iptables-restore < /etc/iptables/rules.v4
      args:
        executable: /bin/bash
      changed_when: false
      when: not ansible_check_mode

    - name: Save rules for persistence
      ansible.builtin.command: netfilter-persistent save
      changed_when: false
      when: not ansible_check_mode

    - name: Show filter table (iptables -S)
      ansible.builtin.command: iptables -S
      changed_when: false
      when: not ansible_check_mode