From fbc0c98fe37402788197a20f2eac517cd09c489d Mon Sep 17 00:00:00 2001
From: Alex <caskd@420blaze.it>
Date: Wed, 8 Apr 2020 03:31:07 +0200
Subject: [PATCH] Add iptables rules and run install check conditionally

---
 handlers/main.yml |  5 +++++
 tasks/main.yml    | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/handlers/main.yml b/handlers/main.yml
index cb24fe3..8d0d537 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -20,3 +20,8 @@
   notify:
         - Enable unbound
         - Set unbound as default dns
+- name: Save netfilter rules
+  command:
+        argv:
+                - '/usr/sbin/netfilter-persitent'
+                - 'save'
diff --git a/tasks/main.yml b/tasks/main.yml
index afcf1a8..b2a9cd2 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -12,3 +12,36 @@
         state: present
         cache_valid_time: 3600
   notify: Disable systemd-resolved
+  when: unbound|bool == true
+- name: Allow Unbound TCP through iptables
+  loop:
+          - ipv4
+          - ipv6
+  iptables:
+          chain: INPUT
+          ctstate:
+                  - NEW
+                  - ESTABLISHED
+                  - RELATED
+          destination_port: "53"
+          jump: ACCEPT
+          ip_version: '{{ item }}'
+          protocol: tcp
+  notify:
+          - Save netfilter rules
+- name: Allow Unbound UDP through iptables
+  loop:
+          - ipv4
+          - ipv6
+  iptables:
+          chain: INPUT
+          ctstate:
+                  - NEW
+                  - ESTABLISHED
+                  - RELATED
+          destination_port: "53"
+          jump: ACCEPT
+          ip_version: '{{ item }}'
+          protocol: udp
+  notify:
+          - Save netfilter rules