diff --git a/tasks/firewall.yaml b/tasks/firewall.yaml index ffe7bcb..e9f561f 100644 --- a/tasks/firewall.yaml +++ b/tasks/firewall.yaml @@ -43,57 +43,11 @@ when: "ipv4_enabled" -# deploy ipv6 iptable rules -- name: "firewall - deploy ipv6 rules" - ansible.builtin.copy: - dest: "/etc/ip6tables/rules-save" - mode: "0600" - owner: "root" - group: "root" - content: | - *filter - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT ACCEPT [0:0] - # Allow established/related - -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT - # Allow loopback - -A INPUT -i lo -j ACCEPT - # Allow LAN management access - -A INPUT -i {{ lan_interface }} -j ACCEPT - # Allow ICMPv6 (required for NDP/RA) - -A INPUT -p ipv6-icmp -j ACCEPT - -A FORWARD -p ipv6-icmp -j ACCEPT - # Allow forwarding from LAN to anywhere - -A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT - COMMIT - notify: "restart ip6tables" - when: "ipv6_enabled" - -# remove iptables rules when disabled -- name: "firewall - remove ipv4 rules" - ansible.builtin.file: - path: "/etc/iptables/rules-save" - state: "absent" - notify: "restart iptables" - when: "not ipv4_enabled" - -# remove ip6tables rules when disabled -- name: "firewall - remove ipv6 rules" - ansible.builtin.file: - path: "/etc/ip6tables/rules-save" - state: "absent" - notify: "restart ip6tables" - when: "not ipv6_enabled" - - # load nf_conntrack module - name: "firewall - load nf_conntrack module" community.general.modprobe: name: "nf_conntrack" state: "present" - when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack hashsize - name: "firewall - configure nf_conntrack hashsize" @@ -104,7 +58,6 @@ mode: "0644" owner: "root" group: "root" - when: "ipv4_enabled or ipv6_enabled" # load nf_conntrack at boot - name: "firewall - load nf_conntrack at boot" @@ -115,14 +68,12 @@ mode: "0644" owner: "root" group: "root" - when: "ipv4_enabled or ipv6_enabled" # set nf_conntrack hashsize at runtime - name: "firewall - set nf_conntrack hashsize runtime" ansible.builtin.shell: cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize" changed_when: false - when: "ipv4_enabled or ipv6_enabled" # configure nf_conntrack sysctl settings - name: "firewall - configure conntrack sysctl settings" @@ -139,4 +90,3 @@ value: "3600" - name: "net.netfilter.nf_conntrack_generic_timeout" value: "120" - when: "ipv4_enabled or ipv6_enabled"