[IPTABLES] Add rules (Not tested)

roles/iptables/tasks/accept_dns.yml

@@ -0,0 +1,57 @@
+---
+
+- name: Accept OUTPUT udp dport 53
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: udp
+    ctstate:
+      - NEW
+      - RELATED
+      - ESTABLISHED
+    destination_port: 53
+    jump: ACCEPT
+    comment: Accept OUTPUT udp dport 53
+    state: present
+  become: yes
+
+- name: Accept INPUT udp sport 53
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: udp
+    ctstate:
+      - NEW
+      - RELATED
+      - ESTABLISHED
+    source_port: 53
+    jump: ACCEPT
+    comment: Accept OUTPUT udp sport 53
+    state: present
+  become: yes
+
+- name: Accept OUTPUT tcp dport 53
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    ctstate:
+      - NEW
+      - RELATED
+      - ESTABLISHED
+    destination_port: 53
+    jump: ACCEPT
+    comment: Accept OUTPUT tcp dport 53
+    state: present
+  become: yes
+
+- name: Accept INPUT tcp sport 53
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    ctstate:
+      - NEW
+      - RELATED
+      - ESTABLISHED
+    source_port: 53
+    jump: ACCEPT
+    comment: Accept OUTPUT tcp sport 53
+    state: present
+  become: yes

roles/iptables/tasks/accept_established.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Accept INPUT established
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+    comment: Accept INPUT established
+    state: present
+  become: yes
+
+- name: Accept OUTPUT established
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+    comment: Accept OUTPUT established
+    state: present
+  become: yes

roles/iptables/tasks/accept_http.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Accept INPUT 80
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 80
+    jump: ACCEPT
+    comment: Accept INPUT 80
+    state: present
+  become: yes
+
+- name: Accept INPUT 443
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 443
+    jump: ACCEPT
+    comment: Accept INPUT 443
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 80
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: 80
+    jump: ACCEPT
+    comment: Accept OUTPUT 80
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 443
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: 443
+    jump: ACCEPT
+    comment: Accept OUTPUT 443
+    state: present
+  become: yes

roles/iptables/tasks/accept_loopback.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Accept INPUT loopback
+  ansible.builtin.iptables:
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+    comment: Accept INPUT loopback
+    state: present
+  become: yes
+
+- name: Accept OUTPUT loopback
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    out_interface: lo
+    jump: ACCEPT
+    comment: Accept OUTPUT loopback
+    state: present
+  become: yes

roles/iptables/tasks/accept_matrix.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Accept INPUT 8448
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 8448
+    jump: ACCEPT
+    comment: Accept INPUT 8448
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 8448
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: 8448
+    jump: ACCEPT
+    comment: Accept OUTPUT 8448
+    state: present
+  become: yes

roles/iptables/tasks/accept_ntp.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Accept INPUT 123
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: udp
+    source_port: 123
+    jump: ACCEPT
+    comment: Accept INPUT 123
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 123
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: udp
+    destination_port: 123
+    jump: ACCEPT
+    comment: Accept OUTPUT 123
+    state: present
+  become: yes

roles/iptables/tasks/accept_ping.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Accept INPUT icmp
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    jump: ACCEPT
+    comment: Accept INPUT icmp
+    state: present
+  become: yes
+
+- name: Accept OUTPUT icmp
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: icmp
+    jump: ACCEPT
+    comment: Accept OUTPUT icmp
+    state: present
+  become: yes

roles/iptables/tasks/accept_private_networks.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Accept INPUT 192.168.1.0/24
+  ansible.builtin.iptables:
+    chain: INPUT
+    destination: 192.168.1.0/24
+    jump: ACCEPT
+    comment: Accept INPUT established
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 192.168.1.0/24
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    destination: 192.168.1.0/24
+    jump: ACCEPT
+    comment: Accept OUTPUT established
+    state: present
+  become: yes

roles/iptables/tasks/accept_ssh.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Accept INPUT 7943
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 7943
+    jump: ACCEPT
+    comment: Accept INPUT 7943
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 22
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: 22
+    jump: ACCEPT
+    comment: Accept OUTPUT 22
+    state: present
+  become: yes

roles/iptables/tasks/block_basic_ddos.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Accept FORWARD with tcp limit 1/second and syn
+  ansible.builtin.iptables:
+    chain: FORWARD
+    protocol: tcp
+    syn: match
+    limit: 1/second
+    jump: ACCEPT
+    comment: Accept FORWARD with tcp limit 1/second and syn
+    state: present
+  become: yes
+
+- name: Accept FORWARD with udp limit 1/second
+  ansible.builtin.iptables:
+    chain: FORWARD
+    protocol: udp
+    limit: 1/second
+    jump: ACCEPT
+    comment: Accept FORWARD with udp limit 1/second
+    state: present
+  become: yes
+
+- name: Accept FORWARD with icmp limit 1/second
+  ansible.builtin.iptables:
+    chain: FORWARD
+    protocol: icmp
+    icmp_type: echo-request
+    limit: 1/second
+    jump: ACCEPT
+    comment: Accept FORWARD with icmp limit 1/second
+    state: present
+  become: yes

roles/iptables/tasks/block_port_scan.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Accept FORWARD with tcp limit 1/second and tcp_flags
+  ansible.builtin.iptables:
+    chain: FORWARD
+    protocol: tcp
+    tcp_flags:
+      flags:
+        - SYN
+        - ACK
+        - FIN
+        - RST
+      flags_set:
+        - RST
+    limit: 1/second
+    jump: ACCEPT
+    comment: Accept FORWARD with tcp limit 1/second and tcp_flags
+    state: present
+  become: yes

roles/iptables/tasks/drop_all_by_default.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Block all INPUT by default
+  ansible.builtin.iptables:
+    chain: INPUT
+    policy: DROP
+    comment: Block all INPUT by default
+    state: present
+  become: yes
+
+- name: Block all OUTPUT by default
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    policy: DROP
+    comment: Block all OUTPUT by default
+    state: present
+  become: yes
+
+- name: Block all FORWARD by default
+  ansible.builtin.iptables:
+    chain: FORWARD
+    policy: DROP
+    comment: Block all FORWARD by default
+    state: present
+  become: yes

roles/iptables/tasks/drop_scans_xmas_null.yml

@@ -0,0 +1,59 @@
+---
+
+- name: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    tcp_flags:
+      flags:
+        - FIN
+        - URG
+        - PSH
+      flags_set:
+        - FIN
+        - URG
+        - PSH
+    jump: DROP
+    comment: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH)
+    state: present
+  become: yes
+
+- name: Drop des scans XMAS et NULL (ALL ALL)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    tcp_flags:
+      flags: ALL
+      flags_set: ALL
+    jump: DROP
+    comment: Drop des scans XMAS et NULL (ALL ALL)
+    state: present
+  become: yes
+
+- name: Drop des scans XMAS et NULL (ALL NONE)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    tcp_flags:
+      flags: ALL
+      flags_set: NONE
+    jump: DROP
+    comment: Drop des scans XMAS et NULL (ALL NONE)
+    state: present
+  become: yes
+
+- name: Drop des scans XMAS et NULL (SYN,RST SYN,RST)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    tcp_flags:
+      flags:
+        - SYN
+        - RST
+      flags_set:
+        - SYN
+        - RST
+    jump: DROP
+    comment: Drop des scans XMAS et NULL (SYN,RST SYN,RST)
+    state: present
+  become: yes

roles/iptables/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+
+- ansible.builtin.import_tasks: accept_established.yml
+  name: accept_established
+
+- ansible.builtin.import_tasks: accept_loopback.yml
+  name: accept_loopback
+
+- ansible.builtin.import_tasks: accept_dns.yml
+  name: accept_dns
+
+- ansible.builtin.import_tasks: accept_http.yml
+  name: accept_http
+
+- ansible.builtin.import_tasks: accept_ssh.yml
+  name: accept_ssh
+
+- ansible.builtin.import_tasks: accept_ntp.yml
+  name: accept_ntp
+
+- ansible.builtin.import_tasks: accept_matrix.yml
+  name: accept_matrix
+
+- ansible.builtin.import_tasks: accept_icmp.yml
+  name: accept_icmp
+
+- ansible.builtin.import_tasks: block_basic_ddos.yml
+  name: block_basic_ddos
+
+- ansible.builtin.import_tasks: block_port_scan.yml
+  name: block_port_scan
+
+- ansible.builtin.import_tasks: accept_private_networks.yml
+  name: accept_private_networks
+
+# Add drop after to avoid lock system during configuration
+
+- ansible.builtin.import_tasks: drop_scans_xmas_null.yml
+  name: drop_scans_xmas_null
+
+- ansible.builtin.import_tasks: drop_all_by_default.yml
+  name: drop_all_by_default