-
Notifications
You must be signed in to change notification settings - Fork 3
/
playbook-iptables.yml
45 lines (37 loc) · 1.5 KB
/
playbook-iptables.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
---
- hosts: all
become: true
become_user: root
become_method: sudo
tasks:
- name: disable firewalld for running iptables
service: name=firewalld enabled=false state=stopped
when: ansible_distribution == 'CentOS'
- name: check if iptables-services are installed
yum: name=iptables-services state=present
when: ansible_distribution == 'CentOS'
- name: disable ufw for running iptables
service: name=ufw enabled=false state=stopped
when: ansible_distribution == 'Ubuntu'
- name: check if iptables-services are installed
apt: name=iptables-persistent state=present
when: ansible_distribution == 'Ubuntu'
- name: accept already established flows
iptables: chain=INPUT ctstate=ESTABLISHED,RELATED comment="active flows" jump=ACCEPT
- name: accept new http flows for web-server
iptables: chain=INPUT protocol=tcp match=tcp destination_port=80 comment="http access" jump=ACCEPT
- name: accept new ssh flows for remotely-managed server
iptables: chain=INPUT protocol=tcp match=tcp destination_port=22 comment="ssh access" jump=ACCEPT
- name: block all other flows for protection - global policy to chain
iptables: chain=INPUT jump=DROP
- name: create nat rule for squid
iptables:
table: nat
chain: PREROUTING
in_interface: eth0
protocol: tcp
match: tcp
destination_port: 80
jump: REDIRECT
to_ports: 3128
comment: rule for redirect to squid