Loading tasks/firewall.yaml +0 −50 Original line number Diff line number Diff line Loading @@ -43,57 +43,11 @@ when: "ipv4_enabled" # deploy ipv6 iptable rules - name: "firewall - deploy ipv6 rules" ansible.builtin.copy: dest: "/etc/ip6tables/rules-save" mode: "0600" owner: "root" group: "root" content: | *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow established/related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback -A INPUT -i lo -j ACCEPT # Allow LAN management access -A INPUT -i {{ lan_interface }} -j ACCEPT # Allow ICMPv6 (required for NDP/RA) -A INPUT -p ipv6-icmp -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT # Allow forwarding from LAN to anywhere -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT COMMIT notify: "restart ip6tables" when: "ipv6_enabled" # remove iptables rules when disabled - name: "firewall - remove ipv4 rules" ansible.builtin.file: path: "/etc/iptables/rules-save" state: "absent" notify: "restart iptables" when: "not ipv4_enabled" # remove ip6tables rules when disabled - name: "firewall - remove ipv6 rules" ansible.builtin.file: path: "/etc/ip6tables/rules-save" state: "absent" notify: "restart ip6tables" when: "not ipv6_enabled" # load nf_conntrack module - name: "firewall - load nf_conntrack module" community.general.modprobe: name: "nf_conntrack" state: "present" when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack hashsize - name: "firewall - configure nf_conntrack hashsize" Loading @@ -104,7 +58,6 @@ mode: "0644" owner: "root" group: "root" when: "ipv4_enabled or ipv6_enabled" # load nf_conntrack at boot - name: "firewall - load nf_conntrack at boot" Loading @@ -115,14 +68,12 @@ mode: "0644" owner: "root" group: "root" when: "ipv4_enabled or ipv6_enabled" # set nf_conntrack hashsize at runtime - name: "firewall - set nf_conntrack hashsize runtime" ansible.builtin.shell: cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize" changed_when: false when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack sysctl settings - name: "firewall - configure conntrack sysctl settings" Loading @@ -139,4 +90,3 @@ value: "3600" - name: "net.netfilter.nf_conntrack_generic_timeout" value: "120" when: "ipv4_enabled or ipv6_enabled" Loading
tasks/firewall.yaml +0 −50 Original line number Diff line number Diff line Loading @@ -43,57 +43,11 @@ when: "ipv4_enabled" # deploy ipv6 iptable rules - name: "firewall - deploy ipv6 rules" ansible.builtin.copy: dest: "/etc/ip6tables/rules-save" mode: "0600" owner: "root" group: "root" content: | *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Allow established/related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback -A INPUT -i lo -j ACCEPT # Allow LAN management access -A INPUT -i {{ lan_interface }} -j ACCEPT # Allow ICMPv6 (required for NDP/RA) -A INPUT -p ipv6-icmp -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT # Allow forwarding from LAN to anywhere -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT COMMIT notify: "restart ip6tables" when: "ipv6_enabled" # remove iptables rules when disabled - name: "firewall - remove ipv4 rules" ansible.builtin.file: path: "/etc/iptables/rules-save" state: "absent" notify: "restart iptables" when: "not ipv4_enabled" # remove ip6tables rules when disabled - name: "firewall - remove ipv6 rules" ansible.builtin.file: path: "/etc/ip6tables/rules-save" state: "absent" notify: "restart ip6tables" when: "not ipv6_enabled" # load nf_conntrack module - name: "firewall - load nf_conntrack module" community.general.modprobe: name: "nf_conntrack" state: "present" when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack hashsize - name: "firewall - configure nf_conntrack hashsize" Loading @@ -104,7 +58,6 @@ mode: "0644" owner: "root" group: "root" when: "ipv4_enabled or ipv6_enabled" # load nf_conntrack at boot - name: "firewall - load nf_conntrack at boot" Loading @@ -115,14 +68,12 @@ mode: "0644" owner: "root" group: "root" when: "ipv4_enabled or ipv6_enabled" # set nf_conntrack hashsize at runtime - name: "firewall - set nf_conntrack hashsize runtime" ansible.builtin.shell: cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize" changed_when: false when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack sysctl settings - name: "firewall - configure conntrack sysctl settings" Loading @@ -139,4 +90,3 @@ value: "3600" - name: "net.netfilter.nf_conntrack_generic_timeout" value: "120" when: "ipv4_enabled or ipv6_enabled"
