ansible/router
ansible/router
2
0
Fork 0
Code Issues 1 Pull requests Activity

chore: remove old unused bits

Browse source
This commit is contained in:
Simon Cornet 2026-02-16 14:56:54 +01:00
commit 3ae2b5fa67
1 changed files with 0 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

50
tasks/firewall.yaml
View file

@ -43,57 +43,11 @@
when: "ipv4_enabled" when: "ipv4_enabled"
# deploy ipv6 iptable rules
- name: "firewall - deploy ipv6 rules"
ansible.builtin.copy:
dest: "/etc/ip6tables/rules-save"
mode: "0600"
owner: "root"
group: "root"
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow established/related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Allow LAN management access
-A INPUT -i {{ lan_interface }} -j ACCEPT
# Allow ICMPv6 (required for NDP/RA)
-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
# Allow forwarding from LAN to anywhere
-A FORWARD -i {{ lan_interface }} -o {{ wan_interface }} -j ACCEPT
COMMIT
notify: "restart ip6tables"
when: "ipv6_enabled"
# remove iptables rules when disabled
- name: "firewall - remove ipv4 rules"
ansible.builtin.file:
path: "/etc/iptables/rules-save"
state: "absent"
notify: "restart iptables"
when: "not ipv4_enabled"
# remove ip6tables rules when disabled
- name: "firewall - remove ipv6 rules"
ansible.builtin.file:
path: "/etc/ip6tables/rules-save"
state: "absent"
notify: "restart ip6tables"
when: "not ipv6_enabled"
# load nf_conntrack module # load nf_conntrack module
- name: "firewall - load nf_conntrack module" - name: "firewall - load nf_conntrack module"
community.general.modprobe: community.general.modprobe:
name: "nf_conntrack" name: "nf_conntrack"
state: "present" state: "present"
when: "ipv4_enabled or ipv6_enabled"
# configure nf_conntrack hashsize # configure nf_conntrack hashsize
- name: "firewall - configure nf_conntrack hashsize" - name: "firewall - configure nf_conntrack hashsize"
@ -104,7 +58,6 @@
mode: "0644" mode: "0644"
owner: "root" owner: "root"
group: "root" group: "root"
when: "ipv4_enabled or ipv6_enabled"
# load nf_conntrack at boot # load nf_conntrack at boot
- name: "firewall - load nf_conntrack at boot" - name: "firewall - load nf_conntrack at boot"
@ -115,14 +68,12 @@
mode: "0644" mode: "0644"
owner: "root" owner: "root"
group: "root" group: "root"
when: "ipv4_enabled or ipv6_enabled"
# set nf_conntrack hashsize at runtime # set nf_conntrack hashsize at runtime
- name: "firewall - set nf_conntrack hashsize runtime" - name: "firewall - set nf_conntrack hashsize runtime"
ansible.builtin.shell: ansible.builtin.shell:
cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize" cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize"
changed_when: false changed_when: false
when: "ipv4_enabled or ipv6_enabled"
# configure nf_conntrack sysctl settings # configure nf_conntrack sysctl settings
- name: "firewall - configure conntrack sysctl settings" - name: "firewall - configure conntrack sysctl settings"
@ -139,4 +90,3 @@
value: "3600" value: "3600"
- name: "net.netfilter.nf_conntrack_generic_timeout" - name: "net.netfilter.nf_conntrack_generic_timeout"
value: "120" value: "120"
when: "ipv4_enabled or ipv6_enabled"