From 30e5147587e8d4c1d1a2f6e3e7c2aa2e57452652 Mon Sep 17 00:00:00 2001
From: Nemo <contact@wirebrass.fr>
Date: Sat, 11 Jul 2020 14:59:52 +0200
Subject: [PATCH] Add UDP ports in iptables role and update README role

---
 roles/client_iptables/README.md          |  9 ++++++--
 roles/client_iptables/meta/main.yml      |  2 +-
 roles/client_iptables/tasks/iptables.yml | 26 ++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/roles/client_iptables/README.md b/roles/client_iptables/README.md
index c72494b..4627776 100644
--- a/roles/client_iptables/README.md
+++ b/roles/client_iptables/README.md
@@ -1,12 +1,14 @@
 Ansible Role: client iptables
 =========
 
-This role defines iptables rules for a GNU/Linux server.
+This role defines iptables rules for a GNU/Linux server (but NOT for routers).
 
 Requirements
 ------------
 
-None.
+WARNING : do not apply this role on routers !!!
+
+This role assumes you have a clean iptables configuration on your host (else, you may need to flush the current rules).
 
 Role Variables
 --------------
@@ -17,6 +19,9 @@ All variables and default values are defined in `defaults/main.yml` :
     tcp_authorized_ports:
       - 22
     
+    # All authorized UDP ports
+    udp_authorized_ports: []
+    
     # All incoming authorized IP
     ip_authorized: []
 
diff --git a/roles/client_iptables/meta/main.yml b/roles/client_iptables/meta/main.yml
index b103441..7dd110e 100644
--- a/roles/client_iptables/meta/main.yml
+++ b/roles/client_iptables/meta/main.yml
@@ -1,6 +1,6 @@
 galaxy_info:
   author: nemo
-  description: Set iptables for GNU/Linux.
+  description: Set iptables for GNU/Linux servers (but NOT routers).
   company: Wirebrass
 
   license: license (BSD)
diff --git a/roles/client_iptables/tasks/iptables.yml b/roles/client_iptables/tasks/iptables.yml
index 80991e1..b851735 100644
--- a/roles/client_iptables/tasks/iptables.yml
+++ b/roles/client_iptables/tasks/iptables.yml
@@ -83,6 +83,32 @@
   notify:
     - persist iptables
 
+- name: Allow new incoming connections on UDP port (dynamic list) (IPV4)
+  iptables:
+    ip_version: ipv4
+    chain: INPUT
+    protocol: udp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: Accept new connections on port "{{ item }}".
+  loop: "{{ udp_authorized_ports }}"
+  when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
+  notify:
+    - persist iptables
+
+- name: Allow new incoming connections on UDP port (dynamic list) (IPV6)
+  iptables:
+    ip_version: ipv6
+    chain: INPUT
+    protocol: udp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: Accept new connections on port "{{ item }}".
+  loop: "{{ udp_authorized_ports }}"
+  when: udp_authorized_ports is defined and (udp_authorized_ports|length>0)
+  notify:
+    - persist iptables
+
 - name: Allow new incoming connections from specific IP (dynamic list) (IPV4)
   iptables:
     ip_version: ipv4