mirror of
https://github.com/matter-labs/ansible-en-role.git
synced 2025-12-06 10:59:56 +00:00
41f491a0bd
## What ❔ Move task for disabling SSH password auth to dedicated task ## Why ❔ For more transparency ## Checklist <!-- Check your PR fulfills the following items. --> <!-- For draft PRs check the boxes as you complete them. --> - [x] PR title corresponds to the body of PR (we generate changelog entries from PRs). - [x] Documentation comments have been added / updated.
68 lines
1.6 KiB
YAML
68 lines
1.6 KiB
YAML
---
|
|
- name: Install iptables packages
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
name: "{{ iptables_packages }}"
|
|
|
|
- name: Allow loopback traffic
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
in_interface: lo
|
|
jump: ACCEPT
|
|
|
|
- name: Allow related and established connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
match: state
|
|
ctstate: RELATED,ESTABLISHED
|
|
jump: ACCEPT
|
|
|
|
- name: Allow SSH traffic
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 22
|
|
jump: ACCEPT
|
|
|
|
- name: Allow HTTP traffic from specific IP to http port
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 80
|
|
source: "{{ loadbalancer_ip | mandatory }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Allow HTTP traffic from specific IP to https port
|
|
when: enable_tls
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 443
|
|
source: "{{ loadbalancer_ip | mandatory }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Allow healthcheck port traffic from specific IP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 3080
|
|
source: "{{ loadbalancer_ip | mandatory }}"
|
|
jump: ACCEPT
|
|
|
|
- name: Set default policy to DROP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
policy: DROP
|
|
|
|
- name: Save ipv4 current state of the firewall in system file
|
|
community.general.iptables_state:
|
|
ip_version: ipv4
|
|
state: saved
|
|
path: /etc/iptables/rules.v4
|
|
|
|
- name: Save ipv6 current state of the firewall in system file
|
|
community.general.iptables_state:
|
|
ip_version: ipv6
|
|
state: saved
|
|
path: /etc/iptables/rules.v6
|