Ansible IPtables

common.yml

---
- name: install iptables persistent
  apt: pkg=iptables-persistent update_cache=yes state=present
  tags:
    - common

# For some reason, iptables-persistent will fail to start
# if IPv6 rules file is empty or invalid
- name: remove iptables rules.v6 file
  file: path=/etc/iptables/rules.v6 state=absent
  tags:
    - common

# Using a template here in the event we might need variable access
# See: http://docs.ansible.com/playbooks_variables.html#magic-variables-and-how-to-access-information-about-other-hosts
- name: upload iptables rules template
  template: src=rules.v4.j2 dest=/etc/iptables/rules.v4
  notify:
    - restart iptables-persistent
  tags:
    - common
    - firewall

- name: start iptables-persistent
  service: name=iptables-persistent state=started
  tags:
    - common

rules.v4.j2

# {{ ansible_managed }}
*filter

# Accept local traffic
-A INPUT -i lo -j ACCEPT

# Accept rate-limited SSH traffic
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set --rsource
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 3 --rsource -j DROP

# Allow MOSH UDP Ports
-A INPUT -i eth0 -p udp -m udp --dport 60000:60100 -j ACCEPT

# Accept HTTP traffic
-A INPUT -p tcp --dport 80 -j ACCEPT

# Accept related and established traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop remaining traffic
-A INPUT -j DROP

# It's better to set the default policies to ACCEPT just in case
# you lock yourself out of your machine by flushing all the rules i.e. `iptables -F`
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT