Add iptables rules and run install check conditionally
This commit is contained in:
parent
c5b26678d6
commit
fbc0c98fe3
|
@ -20,3 +20,8 @@
|
||||||
notify:
|
notify:
|
||||||
- Enable unbound
|
- Enable unbound
|
||||||
- Set unbound as default dns
|
- Set unbound as default dns
|
||||||
|
- name: Save netfilter rules
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- '/usr/sbin/netfilter-persitent'
|
||||||
|
- 'save'
|
||||||
|
|
|
@ -12,3 +12,36 @@
|
||||||
state: present
|
state: present
|
||||||
cache_valid_time: 3600
|
cache_valid_time: 3600
|
||||||
notify: Disable systemd-resolved
|
notify: Disable systemd-resolved
|
||||||
|
when: unbound|bool == true
|
||||||
|
- name: Allow Unbound TCP through iptables
|
||||||
|
loop:
|
||||||
|
- ipv4
|
||||||
|
- ipv6
|
||||||
|
iptables:
|
||||||
|
chain: INPUT
|
||||||
|
ctstate:
|
||||||
|
- NEW
|
||||||
|
- ESTABLISHED
|
||||||
|
- RELATED
|
||||||
|
destination_port: "53"
|
||||||
|
jump: ACCEPT
|
||||||
|
ip_version: '{{ item }}'
|
||||||
|
protocol: tcp
|
||||||
|
notify:
|
||||||
|
- Save netfilter rules
|
||||||
|
- name: Allow Unbound UDP through iptables
|
||||||
|
loop:
|
||||||
|
- ipv4
|
||||||
|
- ipv6
|
||||||
|
iptables:
|
||||||
|
chain: INPUT
|
||||||
|
ctstate:
|
||||||
|
- NEW
|
||||||
|
- ESTABLISHED
|
||||||
|
- RELATED
|
||||||
|
destination_port: "53"
|
||||||
|
jump: ACCEPT
|
||||||
|
ip_version: '{{ item }}'
|
||||||
|
protocol: udp
|
||||||
|
notify:
|
||||||
|
- Save netfilter rules
|
||||||
|
|
Reference in New Issue