Add UDP ports in iptables role and update README role

2020-07-11 14:59:52 +02:00 · 2020-07-11 14:59:52 +02:00 · 30e5147587
parent 0e055f73e8
commit 30e5147587
3 changed files with 34 additions and 3 deletions
--- a/roles/client_iptables/README.md
+++ b/roles/client_iptables/README.md
@ -1,12 +1,14 @@
 Ansible Role: client iptables
 =========

-This role defines iptables rules for a GNU/Linux server.
+This role defines iptables rules for a GNU/Linux server (but NOT for routers).

 Requirements
 ------------

-None.
+WARNING : do not apply this role on routers !!!
+
+This role assumes you have a clean iptables configuration on your host (else, you may need to flush the current rules).

 Role Variables
 --------------
@ -17,6 +19,9 @@ All variables and default values are defined in `defaults/main.yml` :
    tcp_authorized_ports:
      - 22
    
+    # All authorized UDP ports
+    udp_authorized_ports: []
+    
    # All incoming authorized IP
    ip_authorized: []

--- a/roles/client_iptables/meta/main.yml
+++ b/roles/client_iptables/meta/main.yml
@ -1,6 +1,6 @@
 galaxy_info:
  author: nemo
-  description: Set iptables for GNU/Linux.
+  description: Set iptables for GNU/Linux servers (but NOT routers).
  company: Wirebrass

  license: license (BSD)
--- a/roles/client_iptables/tasks/iptables.yml
+++ b/roles/client_iptables/tasks/iptables.yml
@ -83,6 +83,32 @@
  notify:
    - persist iptables

+- name: Allow new incoming connections on UDP port (dynamic list) (IPV4)
+  iptables:
+    ip_version: ipv4
+    chain: INPUT
+    protocol: udp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: Accept new connections on port "{{ item }}".
+  loop: "{{ udp_authorized_ports }}"
+  when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
+  notify:
+    - persist iptables
+
+- name: Allow new incoming connections on UDP port (dynamic list) (IPV6)
+  iptables:
+    ip_version: ipv6
+    chain: INPUT
+    protocol: udp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: Accept new connections on port "{{ item }}".
+  loop: "{{ udp_authorized_ports }}"
+  when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
+  notify:
+    - persist iptables
+
 - name: Allow new incoming connections from specific IP (dynamic list) (IPV4)
  iptables:
    ip_version: ipv4