From 5f1ddcc5192eece887c8be8ba392e4e57f2984d8 Mon Sep 17 00:00:00 2001
From: Alex Kotov <kotovalexarian@gmail.com>
Date: Thu, 8 Jul 2021 18:40:05 +0500
Subject: [PATCH] Allow outgoing traffic only through specific interfaces

---
 defaults/main.yml           | 1 +
 templates/iptables/rules.v4 | 7 +++++++
 templates/iptables/rules.v6 | 7 +++++++
 3 files changed, 15 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index d2dcbfd..e185ec3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,6 +5,7 @@ common__iptables__state: install
 common__iptables__drop_by_default: false
 common__iptables__v4_filter: null
 common__iptables__v6_filter: null
+common__iptables__allow_output_ifaces: []
 
 common__certbot__state: install
 common__certbot__run: true
diff --git a/templates/iptables/rules.v4 b/templates/iptables/rules.v4
index e3c8f1b..001d20e 100644
--- a/templates/iptables/rules.v4
+++ b/templates/iptables/rules.v4
@@ -18,8 +18,15 @@
 -A OUTPUT  -o lo                -j ACCEPT
 
 # Allow all outgoing traffic.
+{% if common__iptables__allow_output_ifaces %}
+{% for iface in common__iptables__allow_output_ifaces %}
+-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT  -i {{ iface }} -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+{% endfor %}
+{% else %}
 -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 -A INPUT  -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+{% endif %}
 
 # Allow some important ICMP.
 -A INPUT  -p icmp --icmp-type echo-request         -j ACCEPT
diff --git a/templates/iptables/rules.v6 b/templates/iptables/rules.v6
index c6f552d..702d4af 100644
--- a/templates/iptables/rules.v6
+++ b/templates/iptables/rules.v6
@@ -18,8 +18,15 @@
 -A OUTPUT  -o lo           -j ACCEPT
 
 # Allow all outgoing traffic.
+{% if common__iptables__allow_output_ifaces %}
+{% for iface in common__iptables__allow_output_ifaces %}
+-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT  -i {{ iface }} -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+{% endfor %}
+{% else %}
 -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 -A INPUT  -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+{% endif %}
 
 # Allow some important ICMP.
 -A INPUT  -p icmpv6 --icmpv6-type echo-request   -j ACCEPT