From be19a6818514bd9e9f2a0973a185612966193d6c Mon Sep 17 00:00:00 2001 From: Alex Kotov Date: Thu, 8 Jul 2021 21:47:40 +0500 Subject: [PATCH] Allow to prepend iptables rules --- defaults/main.yml | 6 ++++-- templates/iptables/rules.v4 | 4 +++- templates/iptables/rules.v6 | 4 +++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e185ec3..109a769 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,9 +3,11 @@ common__basics__additional_packages: [] common__iptables__state: install common__iptables__drop_by_default: false -common__iptables__v4_filter: null -common__iptables__v6_filter: null common__iptables__allow_output_ifaces: [] +common__iptables__v4_filter_prepend: null +common__iptables__v4_filter_append: null +common__iptables__v6_filter_prepend: null +common__iptables__v6_filter_append: null common__certbot__state: install common__certbot__run: true diff --git a/templates/iptables/rules.v4 b/templates/iptables/rules.v4 index 001d20e..7028c2d 100644 --- a/templates/iptables/rules.v4 +++ b/templates/iptables/rules.v4 @@ -11,6 +11,8 @@ -F -X +{{ common__iptables__v4_filter_prepend }} + # Allow all loopback (lo) traffic and reject anything # to localhost that does not originate from lo. -A INPUT -i lo -j ACCEPT @@ -46,6 +48,6 @@ -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT -{{ common__iptables__v4_filter }} +{{ common__iptables__v4_filter_append }} COMMIT diff --git a/templates/iptables/rules.v6 b/templates/iptables/rules.v6 index 702d4af..e3081e9 100644 --- a/templates/iptables/rules.v6 +++ b/templates/iptables/rules.v6 @@ -11,6 +11,8 @@ -F -X +{{ common__iptables__v6_filter_prepend }} + # Allow all loopback (lo) traffic and reject anything # to localhost that does not originate from lo. -A INPUT -i lo -j ACCEPT @@ -57,6 +59,6 @@ -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT -{{ common__iptables__v6_filter }} +{{ common__iptables__v6_filter_append }} COMMIT