- hosts: localhost ignore_errors: true become: 'yes' tasks: - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt become: yes template: src: root_resources/etc/doas.conf dest: "/etc/doas.conf" - name: Temporarily disable doas pass prompt as doas persist does not work within scripts become: yes replace: path: /etc/doas.conf regexp: 'persist' replace: 'nopass' # Telnet/SSH Configuration - name: Accept inbound SSH only on internal and VM network ansible.builtin.iptables: chain: INPUT protocol: tcp source: "{{ item }}/24" destination_port: 22 jump: ACCEPT loop: - 192.168.1.0 - 192.168.122.0 - name: Allow all outbound telnet, SSH on default port and SSH proxy server port ansible.builtin.iptables: chain: OUTPUT protocol: tcp destination_port: "{{ item }}" jump: ACCEPT loop: - 23 - 22 - "{{ proxy_server_ssh_port }}" # Policy Configuration - name: Drop incoming/outgoing/forward traffic by default ansible.builtin.iptables: chain: "{{ item }}" policy: DROP loop: - INPUT - OUTPUT - FORWARD - name: Allow inbound/outbound already established/related connections to bypass firewall rules ansible.builtin.iptables: chain: "{{ item }}" ctstate: ESTABLISHED,RELATED jump: ACCEPT loop: - INPUT - OUTPUT # Loopback Configuration - name: Allow inbound loopback traffic ansible.builtin.iptables: chain: INPUT in_interface: lo jump: ACCEPT - name: Allow outbound loopback traffic ansible.builtin.iptables: chain: OUTPUT out_interface: lo jump: ACCEPT # DNS Configuration - name: Accept inbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS ansible.builtin.iptables: chain: INPUT protocol: "{{ item.protocol }}" source: "{{ item.source }}" destination_port: "{{ item.port }}" jump: ACCEPT loop: - { source: 192.168.1.254, protocol: tcp, port: 53 } - { source: 192.168.1.254, protocol: udp, port: 53 } - { source: 8.8.8.8, protocol: tcp, port: 53 } - { source: 8.8.8.8, protocol: udp, port: 53 } - { source: 192.168.1.254, protocol: tcp, port: 43 } - { source: 8.8.8.8, protocol: tcp, port: 43 } - name: Accept outbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS ansible.builtin.iptables: chain: OUTPUT protocol: "{{ item.protocol }}" destination: "{{ item.destination }}" destination_port: "{{ item.port }}" jump: ACCEPT loop: - { destination: 192.168.1.254, protocol: tcp, port: 53 } - { destination: 192.168.1.254, protocol: udp, port: 53 } - { destination: 8.8.8.8, protocol: tcp, port: 53 } - { destination: 8.8.8.8, protocol: udp, port: 53 } - { destination: 192.168.1.254, protocol: tcp, port: 43 } - { destination: 8.8.8.8, protocol: tcp, port: 43 } # ICMP Configuration - name: Allow all outbound pinging ansible.builtin.iptables: chain: OUTPUT protocol: icmp jump: ACCEPT # VPN to Proxy Server Configuration - name: Accept inbound Wireguard connections only from proxy server ansible.builtin.iptables: chain: INPUT protocol: udp source: "{{ proxy_server_ip }}" destination_port: "{{ proxy_server_vpn_port }}" jump: ACCEPT - name: Allow all outbound Wireguard connections ansible.builtin.iptables: chain: OUTPUT protocol: udp destination_port: "{{ proxy_server_vpn_port }}" jump: ACCEPT # Docker - name: Accept inbound HTTPS only from Github Container Registry ansible.builtin.iptables: chain: INPUT protocol: tcp source: 140.82.121.33 destination_port: 443 jump: ACCEPT - name: Allow all outbound HTTPS ansible.builtin.iptables: chain: OUTPUT protocol: tcp destination: 140.82.121.33 destination_port: 443 jump: ACCEPT - name: Reset doas configuration back to default become: yes template: src: root_resources/etc/doas.conf dest: "/etc/doas.conf" - name: Debug Finish message debug: msg: Ansible playbook has finished!