Host-Ansible-Setup/server-firewall-setup.yml

- hosts: localhost
  become: 'yes'
  tasks:

    - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"
    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
      become: yes
      replace:
        path: /etc/doas.conf
        regexp: 'persist'
        replace: 'nopass'

    # Telnet/SSH Configuration
    - name: Accept inbound SSH only on internal network
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
        source: 192.168.1.0/24
        destination_port: 22
        jump: ACCEPT
    - name: Allow all outbound telnet, SSH on default port and SSH proxy server port
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: tcp
        destination_port: "{{ item }}"
        jump: ACCEPT
      loop:
        - 23
        - 22
        - "{{ proxy_server_ssh_port }}"

    # Policy Configuration
    - name: Drop incoming/outgoing/forward traffic by default
      ansible.builtin.iptables:
        chain: "{{ item }}"
        policy: DROP
      loop:
        - INPUT
        - OUTPUT
        - FORWARD
    - name: Allow inbound/outbound already established/related connections to bypass firewall rules
      ansible.builtin.iptables:
        chain: "{{ item }}"
        ctstate: ESTABLISHED,RELATED
        jump: ACCEPT
      loop:
        - INPUT
        - OUTPUT

    # Loopback Configuration
    - name: Allow inbound loopback traffic
      ansible.builtin.iptables:
        chain: INPUT
        in_interface: lo
        jump: ACCEPT
    - name: Allow outbound loopback traffic
      ansible.builtin.iptables:
        chain: OUTPUT
        out_interface: lo
        jump: ACCEPT

    # DNS Configuration
    - name: Accept inbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS
      ansible.builtin.iptables:
        chain: INPUT
        protocol: "{{ item.protocol }}"
        source: "{{ item.source }}"
        destination_port: "{{ item.port }}"
        jump: ACCEPT
      loop:
        - { source: 192.168.1.254, protocol: tcp, port: 53 } 
        - { source: 192.168.1.254, protocol: udp, port: 53 } 
        - { source: 8.8.8.8, protocol: tcp, port: 53 } 
        - { source: 8.8.8.8, protocol: udp, port: 53 } 
        - { source: 192.168.1.254, protocol: tcp, port: 43 } 
        - { source: 8.8.8.8, protocol: tcp, port: 43 } 
    - name: Accept outbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: "{{ item.protocol }}"
        destination: "{{ item.destination }}"
        destination_port: "{{ item.port }}"
        jump: ACCEPT
      loop:
        - { destination: 192.168.1.254, protocol: tcp, port: 53 } 
        - { destination: 192.168.1.254, protocol: udp, port: 53 } 
        - { destination: 8.8.8.8, protocol: tcp, port: 53 } 
        - { destination: 8.8.8.8, protocol: udp, port: 53 } 
        - { destination: 192.168.1.254, protocol: tcp, port: 43 } 
        - { destination: 8.8.8.8, protocol: tcp, port: 43 } 

    # ICMP Configuration
    - name: Allow all outbound pinging 
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: icmp
        jump: ACCEPT

    # SMB/SAMBA Service
    - name: Accept inbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only from internal network
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
        source: 192.168.1.0/24
        destination_port: "{{ item }}"
        jump: ACCEPT
      loop:
        - 445
        - 139
        - 138
        - 137
    - name: Allow outbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only to internal network
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: tcp
        destination: 192.168.1.0/24
        destination_port: "{{ item }}"
        jump: ACCEPT
      loop:
        - 445
        - 139
        - 138
        - 137

    # VPN to Proxy Server Configuration
    - name: Accept inbound Wireguard connections only from proxy server
      ansible.builtin.iptables:
        chain: INPUT
        protocol: udp
        source: "{{ proxy_server_ip }}"
        destination_port: "{{ proxy_server_vpn_port }}"
        jump: ACCEPT
    - name: Allow all outbound Wireguard connections
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: udp
        destination_port: "{{ proxy_server_vpn_port }}" 
        jump: ACCEPT
        
    # Cockpit Configuration
    - name: Accept inbound Cockpit traffic only from proxy server 
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
        source: "{{ proxy_server_ip }}"
        destination_port: 9090
        jump: ACCEPT
    - name: Accept inbound Cockpit traffic only from proxy server on wireguard assigned IP
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
        source: 10.0.0.1
        destination_port: 9090
        jump: ACCEPT
    - name: Accept outbound cockpit traffic only to proxy server 
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: tcp
        destination: "{{ proxy_server_ip }}"
        destination_port: 9090
        jump: ACCEPT
    - name: Accept outbound cockpit traffic only to proxy server on wireguard assigned IP
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: tcp
        destination: 10.0.0.1
        destination_port: 9090
        jump: ACCEPT

    - name: Reset doas configuration back to default
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"

    - name: Debug Finish message
      debug:
        msg: Ansible playbook has finished!