Allow to prepend iptables rules

2021-07-08 21:47:40 +05:00 · 2021-07-08 21:47:40 +05:00 · be19a68185
parent 5f1ddcc519
commit be19a68185
3 changed files with 10 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -3,9 +3,11 @@ common__basics__additional_packages: []

 common__iptables__state: install
 common__iptables__drop_by_default: false
-common__iptables__v4_filter: null
-common__iptables__v6_filter: null
 common__iptables__allow_output_ifaces: []
+common__iptables__v4_filter_prepend: null
+common__iptables__v4_filter_append: null
+common__iptables__v6_filter_prepend: null
+common__iptables__v6_filter_append: null

 common__certbot__state: install
 common__certbot__run: true
--- a/templates/iptables/rules.v4
+++ b/templates/iptables/rules.v4
@ -11,6 +11,8 @@
 -F
 -X

+{{ common__iptables__v4_filter_prepend }}
+
 # Allow all loopback (lo) traffic and reject anything
 # to localhost that does not originate from lo.
 -A INPUT   -i lo                -j ACCEPT
@ -46,6 +48,6 @@
 -A INPUT  -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED     -j ACCEPT

-{{ common__iptables__v4_filter }}
+{{ common__iptables__v4_filter_append }}

 COMMIT
--- a/templates/iptables/rules.v6
+++ b/templates/iptables/rules.v6
@ -11,6 +11,8 @@
 -F
 -X

+{{ common__iptables__v6_filter_prepend }}
+
 # Allow all loopback (lo) traffic and reject anything
 # to localhost that does not originate from lo.
 -A INPUT   -i lo           -j ACCEPT
@ -57,6 +59,6 @@
 -A INPUT  -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED     -j ACCEPT

-{{ common__iptables__v6_filter }}
+{{ common__iptables__v6_filter_append }}

 COMMIT