- name: Install iptables apt: state: present pkg: - iptables - name: Allow related and established connections ansible.builtin.iptables: chain: INPUT ctstate: ESTABLISHED,RELATED jump: ACCEPT - name: Allow Hypervisor ansible.builtin.iptables: chain: INPUT source: 192.168.122.1 jump: ACCEPT comment: "allow hypervisor" - name: Allow ping from monitoring ansible.builtin.iptables: chain: INPUT source: 192.168.122.107 protocol: icmp jump: ACCEPT comment: "allow monitoring to ping" - name: Allow TLS Check from monitoring on mail ansible.builtin.iptables: chain: INPUT source: 192.168.122.107 protocol: tcp destination_port: "{{ item }}" jump: ACCEPT comment: "allow monitoring to check mail TLS ports" with_items: - 465 - 993 - name: Allow ping from zabbix ansible.builtin.iptables: chain: INPUT source: 192.168.122.117 protocol: icmp jump: ACCEPT comment: "allow zabbix to ping" - name: Allow zabbix-agent from zabbix ansible.builtin.iptables: chain: INPUT source: 192.168.122.117 protocol: tcp destination_port: "10050" jump: ACCEPT comment: "allow zabbix to connect to agent" - name: Allow node-exporter from prometheus ansible.builtin.iptables: chain: INPUT source: 192.168.122.120 protocol: tcp destination_port: "9100" jump: ACCEPT comment: "allow prometheus to access node-exporter" - name: Open Configured internal ports ansible.builtin.iptables: chain: INPUT destination_port: "{{ item.port }}" source: 192.168.122.0/24 protocol: "{{ item.protocol }}" comment: "{{ item.comment }}" jump: ACCEPT loop: "{{ extra_internal_iptables_ports_allow }}" when: extra_internal_iptables_ports_allow is defined - name: Reject everything else in internal network ansible.builtin.iptables: chain: INPUT source: 192.168.122.0/24 comment: "Block internal network" jump: REJECT reject_with: icmp-admin-prohibited state: present