Allow outgoing traffic only through specific interfaces

defaults/main.yml

@@ -5,6 +5,7 @@ common__iptables__state: install
 common__iptables__drop_by_default: false
 common__iptables__v4_filter: null
 common__iptables__v6_filter: null
+common__iptables__allow_output_ifaces: []
 
 common__certbot__state: install
 common__certbot__run: true

templates/iptables/rules.v4

@@ -18,8 +18,15 @@
 -A OUTPUT  -o lo                -j ACCEPT
 
 # Allow all outgoing traffic.
+{% if common__iptables__allow_output_ifaces %}
+{% for iface in common__iptables__allow_output_ifaces %}
+-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT  -i {{ iface }} -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+{% endfor %}
+{% else %}
 -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 -A INPUT  -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+{% endif %}
 
 # Allow some important ICMP.
 -A INPUT  -p icmp --icmp-type echo-request         -j ACCEPT

templates/iptables/rules.v6

@@ -18,8 +18,15 @@
 -A OUTPUT  -o lo           -j ACCEPT
 
 # Allow all outgoing traffic.
+{% if common__iptables__allow_output_ifaces %}
+{% for iface in common__iptables__allow_output_ifaces %}
+-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT  -i {{ iface }} -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+{% endfor %}
+{% else %}
 -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 -A INPUT  -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+{% endif %}
 
 # Allow some important ICMP.
 -A INPUT  -p icmpv6 --icmpv6-type echo-request   -j ACCEPT