-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yaml
99 lines (77 loc) · 2.37 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Default variables for the `iptables` Linux kernel packet filter.
---
# Convenience variable to define inbound open ports.
#iptables_open_ports:
# - protocol: udp
# destination_port: 5353
# Convenience variable to define inbound closed ports.
#iptables_closed_ports:
# - protocol: tcp
# destination_port: telnet
# - protocol: tcp
# destination_port: 25
# IPv4 packet filtering.
ipv4_tables:
# Structure of the Linux kernel's `filter` IPv4 table.
filter:
# The `INPUT` chain's structure.
INPUT:
policy: DROP # Drop packets not matching a defined rule.
#counters:
#packets: 0
#bytes: 0
# Rules for the `INPUT` chain in the `filter` table. The order
# in which the rules are listed matters because it determines
# the processing order for each packet. The first rule that
# matches a given packet will be applied to the packet.
rules:
# Accept any traffic coming in to the loopback interface.
- in_interface: lo
#out_interface:
#protocol: tcp
#source_addresses:
#- ip:
# mask:
# not: true # Invert the test.
# Source port or port range in first:last notation.
#source_port:
#destination_addresses:
#- ip:
# mask:
# not: true # Invert the test.
#destination_port:
target: ACCEPT
# Accept any connected, pre-established traffic.
- module: conntrack
module_options:
- "--ctstate RELATED,ESTABLISHED"
target: ACCEPT
# Accept any traffic bound for the SSH remote management port.
- protocol: tcp
destination_port: "{{ ssh_port | default(22) }}"
target: ACCEPT
# The `FORWARD` chain's structure.
FORWARD:
policy: ACCEPT
# The `OUTPUT` chain's structure.
OUTPUT:
policy: ACCEPT
# IPv6 packet filtering.
ipv6_tables:
filter:
INPUT:
policy: DROP # Drop packets not matching a defined rule.
rules:
- in_interface: lo
target: ACCEPT
- module: conntrack
module_options:
- "--ctstate RELATED,ESTABLISHED"
target: ACCEPT
- protocol: tcp
destination_port: 22
target: ACCEPT
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT