mirror of
https://github.com/matter-labs/ansible-en-role.git
synced 2025-12-06 02:49:55 +00:00
85 lines
2.0 KiB
YAML
85 lines
2.0 KiB
YAML
---
|
|
- name: Install iptables packages
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
name: "{{ iptables_packages }}"
|
|
|
|
- name: Allow loopback traffic
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
in_interface: lo
|
|
jump: ACCEPT
|
|
|
|
- name: Allow related and established connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
match: state
|
|
ctstate: RELATED,ESTABLISHED
|
|
jump: ACCEPT
|
|
|
|
- name: Allow SSH traffic
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 22
|
|
jump: ACCEPT
|
|
|
|
- name: Allow HTTP traffic from specific IP to http port
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 80
|
|
source: "{{ loadbalancer_ip | mandatory }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Allow HTTP traffic from specific IP to https port
|
|
when: enable_tls
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 443
|
|
source: "{{ loadbalancer_ip | mandatory }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Allow healthcheck port traffic from specific IP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 3080
|
|
source: "{{ loadbalancer_ip | mandatory }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Allow consensus port traffic from any IP
|
|
when: enable_consensus
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: "{{ consensus_port }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Allow postgres replication traffic from replica only
|
|
when: enable_postgres_replication
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 5432
|
|
source: "{{ postgres_replica_address }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Set default policy to DROP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
policy: DROP
|
|
|
|
- name: Save ipv4 current state of the firewall in system file
|
|
community.general.iptables_state:
|
|
ip_version: ipv4
|
|
state: saved
|
|
path: /etc/iptables/rules.v4
|
|
|
|
- name: Save ipv6 current state of the firewall in system file
|
|
community.general.iptables_state:
|
|
ip_version: ipv6
|
|
state: saved
|
|
path: /etc/iptables/rules.v6
|