- hosts: localhost become: 'yes' tasks: # Telnet/SSH Configuration - name: Accept inbound SSH only on internal network ansible.builtin.iptables: chain: INPUT protocol: tcp source: 192.168.1.0/24 destination_port: 22 jump: ACCEPT - name: Allow all outbound telnet, SSH on default port and SSH proxy server port ansible.builtin.iptables: chain: OUTPUT protocol: tcp destination_port: "{{ item }}" jump: ACCEPT loop: - 23 - 22 - "{{ proxy_server_ssh_port }}" # Policy Configuration - name: Drop incoming/outgoing/forward traffic by default ansible.builtin.iptables: chain: "{{ item }}" policy: DROP loop: - INPUT - OUTPUT - FORWARD - name: Allow inbound/outbound already established/related connections to bypass firewall rules ansible.builtin.iptables: chain: "{{ item }}" ctstate: ESTABLISHED,RELATED jump: ACCEPT loop: - INPUT - OUTPUT # Loopback Configuration - name: Allow inbound loopback traffic ansible.builtin.iptables: chain: INPUT in_interface: lo jump: ACCEPT - name: Allow outbound loopback traffic ansible.builtin.iptables: chain: OUTPUT out_interface: lo jump: ACCEPT # DNS Configuration - name: Accept inbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS ansible.builtin.iptables: chain: INPUT protocol: "{{ item.protocol }}" source: "{{ item.source }}" destination_port: "{{ item.port }}" jump: ACCEPT loop: - { source: 192.168.1.254, protocol: tcp, port: 53 } - { source: 192.168.1.254, protocol: udp, port: 53 } - { source: 8.8.8.8, protocol: tcp, port: 53 } - { source: 8.8.8.8, protocol: udp, port: 53 } - { source: 192.168.1.254, protocol: tcp, port: 43 } - { source: 8.8.8.8, protocol: tcp, port: 43 } - name: Accept outbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS ansible.builtin.iptables: chain: OUTPUT protocol: "{{ item.protocol }}" destination: "{{ item.destination }}" destination_port: "{{ item.port }}" jump: ACCEPT loop: - { destination: 192.168.1.254, protocol: tcp, port: 53 } - { destination: 192.168.1.254, protocol: udp, port: 53 } - { destination: 8.8.8.8, protocol: tcp, port: 53 } - { destination: 8.8.8.8, protocol: udp, port: 53 } - { destination: 192.168.1.254, protocol: tcp, port: 43 } - { destination: 8.8.8.8, protocol: tcp, port: 43 } # ICMP Configuration - name: Allow all outbound pinging ansible.builtin.iptables: chain: OUTPUT protocol: icmp jump: ACCEPT # SMB/SAMBA Service - name: Accept inbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only from internal network ansible.builtin.iptables: chain: INPUT protocol: tcp source: 192.168.1.0/24 destination_port: "{{ item }}" jump: ACCEPT loop: - 445 - 139 - 138 - 137 - name: Allow outbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only to internal network ansible.builtin.iptables: chain: OUTPUT protocol: tcp destination: 192.168.1.0/24 destination_port: "{{ item }}" jump: ACCEPT loop: - 445 - 139 - 138 - 137 # VPN to Proxy Server Configuration - name: Accept inbound Wireguard connections only from proxy server ansible.builtin.iptables: chain: INPUT protocol: udp source: "{{ proxy_server_ip }}" destination_port: "{{ proxy_server_vpn_port }}" jump: ACCEPT - name: Allow all outbound Wireguard connections ansible.builtin.iptables: chain: OUTPUT protocol: udp destination_port: "{{ proxy_server_vpn_port }}" jump: ACCEPT # Docker - name: Accept inbound HTTPS only from Github Container Registry ansible.builtin.iptables: chain: INPUT protocol: tcp source: 140.82.121.34 destination_port: 443 jump: ACCEPT - name: Allow outbound HTTPS only to Github Container Registry ansible.builtin.iptables: chain: OUTPUT protocol: tcp destination: 140.82.121.34 destination_port: 443 jump: ACCEPT # SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers) # # Mail Service # - name: Allow source (Inbound) local network traffic to the Mail service ports # ansible.builtin.iptables: # chain: DOCKER-USER # source: 192.168.1.0/24 # protocol: tcp # destination_port: "{{ item }}" # jump: ACCEPT # loop: # - 25 # SMTP Cleartext 25 # - 465 # ESMTP Implicit TLS 465 # - 587 # SMTP+STARTTLS Explicit TLS 587 # - 993 # IMAPS Implicit TLS 993 # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 # # - name: Allow source (Inbound) proxy server traffic to the Mail service ports # ansible.builtin.iptables: # chain: DOCKER-USER # source: "{{ proxy_server_ip }}" # protocol: tcp # destination_port: "{{ item }}" # jump: ACCEPT # loop: # - 25 # SMTP Cleartext 25 # - 465 # ESMTP Implicit TLS 465 # - 587 # SMTP+STARTTLS Explicit TLS 587 # - 993 # IMAPS Implicit TLS 993 # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 # - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports # ansible.builtin.iptables: # chain: DOCKER-USER # destination: "{{ proxy_server_ip }}" # protocol: tcp # destination_port: "{{ item }}" # jump: ACCEPT # loop: # - 25 # SMTP Cleartext 25 # - 465 # ESMTP Implicit TLS 465 # - 587 # SMTP+STARTTLS Explicit TLS 587 # - 993 # IMAPS Implicit TLS 993 # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 # # - name: Deny any other traffic on Mail service ports # ansible.builtin.iptables: # chain: DOCKER-USER # protocol: tcp # destination_port: "{{ item }}" # jump: DROP # loop: # - 25 # SMTP Cleartext 25 # - 465 # ESMTP Implicit TLS 465 # - 587 # SMTP+STARTTLS Explicit TLS 587 # - 993 # IMAPS Implicit TLS 993 # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 # # # Invidious Service # - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000 # ansible.builtin.iptables: # chain: DOCKER-USER # source: 192.168.1.0/24 # protocol: tcp # destination_port: 3000 # jump: ACCEPT # - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000 # ansible.builtin.iptables: # chain: DOCKER-USER # destination: 192.168.1.0/24 # protocol: tcp # destination_port: 3000 # jump: ACCEPT # # - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000 # ansible.builtin.iptables: # chain: DOCKER-USER # source: "{{ proxy_server_ip }}" # protocol: tcp # destination_port: 3000 # jump: ACCEPT # - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000 # ansible.builtin.iptables: # chain: DOCKER-USER # destination: "{{ proxy_server_ip }}" # protocol: tcp # destination_port: 3000 # jump: ACCEPT # # - name: Deny any other traffic on Invidious port 3000 # ansible.builtin.iptables: # chain: DOCKER-USER # protocol: tcp # destination_port: 3000 # jump: DROP # # # Minecraft Service # - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565 # ansible.builtin.iptables: # chain: DOCKER-USER # source: 192.168.1.0/24 # protocol: tcp # destination_port: 25565 # jump: ACCEPT # - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565 # ansible.builtin.iptables: # chain: DOCKER-USER # destination: 192.168.1.0/24 # protocol: tcp # destination_port: 25565 # jump: ACCEPT # # - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565 # ansible.builtin.iptables: # chain: DOCKER-USER # source: "{{ proxy_server_ip }}" # protocol: tcp # destination_port: 25565 # jump: ACCEPT # - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565 # ansible.builtin.iptables: # chain: DOCKER-USER # destination: "{{ proxy_server_ip }}" # protocol: tcp # destination_port: 25565 # jump: ACCEPT # # - name: Deny any other traffic on Minecraft port 25565 # ansible.builtin.iptables: # chain: DOCKER-USER # protocol: tcp # destination_port: 25565 # jump: DROP - name: Debug Finish message debug: msg: Ansible playbook has finished!