Merge pull request #17 from ehh-why-its-so-hard/firewall

Firewall

.ansible-lint

@@ -5,3 +5,4 @@ mock_modules:
   - community.postgresql.postgresql_user
   - community.postgresql.postgresql_owner
   - community.docker.docker_image
+  - community.general.iptables_state

roles/firewall/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+firewall_open_tcp: []
+firewall_open_udp: []

roles/firewall/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+# How it works?
+# OUTPUT: allowed everywhere
+# INPUT: blocked all except 22 and specific ports
+
+- name: Uninstall unsupported firewalls
+  ansible.builtin.apt:
+    pkg:
+      - ufw
+      - firewalld
+    state: absent
+
+- name: Install iptables
+  ansible.builtin.apt:
+    pkg:
+      - iptables
+      - iptables-persistent
+    state: present
+
+- name: Template restore file
+  ansible.builtin.template:
+    src: "etc/iptables-restore.apply"
+    dest: "/etc/iptables-restore.apply"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  register: iptables_restore_file
+
+- name: Restore firewall state from a file
+  community.general.iptables_state:
+    state: restored
+    path: /etc/iptables-restore.apply
+    noflush: false
+  async: "{{ ansible_timeout }}"
+  poll: 0
+  when: iptables_restore_file.changed # noqa: no-handler

roles/firewall/templates/etc/iptables-restore.apply

@@ -0,0 +1,21 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:VEGATCP - [0:0]
+:VEGAUDP - [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -j VEGATCP
+-A INPUT -p tcp -j VEGAUDP
+
+{% for port in firewall_open_tcp %}
+-A VEGATCP -p tcp -m tcp --dport {{ port|int }} -j ACCEPT
+{% endfor %}
+
+{% for port in firewall_open_udp %}
+-A VEGAUDP -p udp -m udp --dport {{ port|int }} -j ACCEPT
+{% endfor %}
+COMMIT