add first working version

README.md

-Role Name
-=========
+Ansible Archlinux Iptables
+==========================
 
-A brief description of the role goes here.
+A role to set basic iptable config
 
-Requirements
+Tested and Used on ArchLinux but it Should work on any Linux
+Dependencies
 ------------
 
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+[Requirements](molecule/default/requirements.yml)
 
-Role Variables
---------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+Variables
+---------
 
-Dependencies
-------------
+[Role Variables](defaults/main.yml)
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
 
 Example Playbook
 ----------------
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+[Test Playbook](molecule/default/playbook.yml)
 
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
 
 License
 -------
 
-BSD
+[License](LICENSE)
 
-Author Information
-------------------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+Todo
+----
+Should check (again) https://wiki.archlinux.org/index.php/Simple_stateful_firewall

defaults/main.yml

 ---
 # defaults file for iptables
+
+iptables_packages: ['iptables']
+
+iptables_ip_versions: [ 'ipv4', 'ipv6' ]
+
+iptables_services: ['iptables', 'ip6tables']
+
+iptables_do_save: true
+
+iptables_do_clean: true
+iptables_tables_to_clean: [ 'raw', 'filter', 'nat', 'mangle', 'security' ]
+
+iptables_open_port_out: [ 22, 80, 443 ]
+iptables_open_port_in: []
+
+iptables_close_port_out: []
+iptables_close_port_in: []
+
+iptables_forward_policy: DROP
+iptables_output_policy: ACCEPT
+iptables_input_policy: DROP

handlers/main.yml

 ---
 # handlers file for iptables
+
+- name: Restart Service
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: restarted
+  loop: "{{ iptables_services }}"

molecule/default/Dockerfile.j2

@@ -12,9 +12,8 @@ RUN pacman -S systemd python --noconfirm
 
 VOLUME [ "/sys/fs/cgroup", "/run", "/run/lock", "/tmp" ]
 
-STOPSIGNAL SIGRTMIN+3
+# STOPSIGNAL SIGRTMIN+3
 
-RUN sleep 360
 
 # ENTRYPOINT ["/usr/lib/systemd/systemd", "--log-level=info", "--unit=sysinit.target"]
 # CMD ["/sbin/init"]

molecule/default/molecule.yml

 ---
 dependency:
   name: galaxy
+lint: |
+  yamllint .
+  ansible-lint
 driver:
   name: docker
 platforms:
-  - name: archlinux
+  - name: archlinux-test
     image: archlinux/archlinux:base-devel
+    dockerfile: Dockerfile.j2
     privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro

tasks/base.yml

+---
+
+- name: Allow Related And Established
+  ansible.builtin.iptables:
+    chain: "{{ item }}"
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"
+  loop:  ['INPUT', 'OUTPUT']
+
+- name: Deny Invalid
+  ansible.builtin.iptables:
+    chain: "{{ item }}"
+    ctstate: INVALID
+    jump: DROP
+    ip_version: "{{ ip_version }}"
+  loop:  ['INPUT', 'OUTPUT', 'FORWARD']
+
+- name: Allow Loopback In
+  ansible.builtin.iptables:
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"
+
+- name: Allow Loopback Out
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    out_interface: lo
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"
+
+- name: Allow Ping In
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: "{{ item }}"
+    jump: ACCEPT
+    limit: 1/second
+    ip_version: "{{ ip_version }}"
+  loop:  ['icmp', 'icmpv6']
+
+- name: Allow Ping Out
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: "{{ item }}"
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"
+  loop:  ['icmp', 'icmpv6']
+
+- name: Allow Dns Out
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: "{{ item }}"
+    destination_port: 53
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"
+  loop:  ['tcp', 'udp']
+
+- name: Allow Ntp Out
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: 'udp'
+    destination_port: 123
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"
+
+# warning: if you change openssh tcp port, you have to use iptables_close_port_in var to close port 22
+- name: Allow Ssh In
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: 'tcp'
+    destination_port: 22
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"

tasks/clean.yml

+---
+
+- name: Flush Tables
+  ansible.builtin.iptables:
+    table: "{{ item }}"
+    flush: yes
+    ip_version: "{{ ip_version }}"
+  loop:  "{{ iptables_tables_to_clean }}"
+  tags:
+    - molecule-idempotence-notest

tasks/custom.yml

+---
+
+- name: Deny Custom Out
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: 'tcp'
+    destination_port: "{{ item }}"
+    jump: DROP
+    ip_version: "{{ ip_version }}"
+  loop: "{{ iptables_close_port_out }}"
+
+- name: Deny Custom In
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: 'tcp'
+    destination_port: "{{ item }}"
+    jump: DROP
+    ip_version: "{{ ip_version }}"
+  loop: "{{ iptables_close_port_in }}"
+
+- name: Allow Custom Out
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: 'tcp'
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"
+  loop: "{{ iptables_open_port_out }}"
+
+- name: Allow Custom In
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: 'tcp'
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    ip_version: "{{ ip_version }}"
+  loop: "{{ iptables_open_port_in }}"

tasks/enable.yml

+---
+
+- name: Enable Iptables
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  loop: "{{ iptables_services }}"

tasks/install.yml

+---
+
+- name: Install Packages
+  ansible.builtin.package:
+    name: "{{ iptables_packages }}"
+    state: present

tasks/main.yml

 ---
 # tasks file for iptables
+
+- name: Install Iptables
+  include_tasks: install.yml
+
+- name: Clean Config
+  include_tasks: clean.yml
+  loop: "{{ iptables_ip_versions }}"
+  loop_control:
+    loop_var: ip_version
+  when: iptables_do_clean
+
+- name: Base Config
+  include_tasks: base.yml
+  loop: "{{ iptables_ip_versions }}"
+  loop_control:
+    loop_var: ip_version
+
+- name: Custom Config
+  include_tasks: custom.yml
+  loop: "{{ iptables_ip_versions }}"
+  loop_control:
+    loop_var: ip_version
+
+- name: Apply Policy
+  include_tasks: policy.yml
+  loop: "{{ iptables_ip_versions }}"
+  loop_control:
+    loop_var: ip_version
+
+- name: Save Rule
+  include_tasks: save.yml
+  loop: "{{ iptables_ip_versions }}"
+  loop_control:
+    loop_var: ip_version
+  when: iptables_do_save
+
+
+- name: Enable Service
+  include_tasks: enable.yml
+  loop: "{{ iptables_ip_versions }}"
+  loop_control:
+    loop_var: ip_version

tasks/policy.yml

+---
+
+- name: Set Forward Policy
+  ansible.builtin.iptables:
+    chain: FORWARD
+    policy: "{{ iptables_forward_policy }}"
+    ip_version: "{{ ip_version }}"
+
+- name: Set Out Policy
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    policy: "{{ iptables_output_policy }}"
+    ip_version: "{{ ip_version }}"
+
+- name: Set In Policy
+  ansible.builtin.iptables:
+    chain: INPUT
+    policy: "{{ iptables_input_policy }}"
+    ip_version: "{{ ip_version }}"

tasks/save.yml

+---
+
+- name: Save The Current State
+  community.general.iptables_state:
+    ip_version: "{{ ip_version }}"
+    state: saved
+    path: "/etc/iptables/{{ ip_version }}.rules"
+  notify: Restart Service