---

- name: Allow Related And Established
  ansible.builtin.iptables:
    chain: "{{ item }}"
    ctstate: ESTABLISHED,RELATED
    jump: ACCEPT
    ip_version: "{{ ip_version }}"
  loop:  ['INPUT', 'OUTPUT']

- name: Deny Invalid
  ansible.builtin.iptables:
    chain: "{{ item }}"
    ctstate: INVALID
    jump: DROP
    ip_version: "{{ ip_version }}"
  loop:  ['INPUT', 'OUTPUT', 'FORWARD']

- name: Allow Loopback In
  ansible.builtin.iptables:
    chain: INPUT
    in_interface: lo
    jump: ACCEPT
    ip_version: "{{ ip_version }}"

- name: Allow Loopback Out
  ansible.builtin.iptables:
    chain: OUTPUT
    out_interface: lo
    jump: ACCEPT
    ip_version: "{{ ip_version }}"

- name: Allow Ping In
  ansible.builtin.iptables:
    chain: INPUT
    protocol: "{{ item }}"
    jump: ACCEPT
    limit: 1/second
    ip_version: "{{ ip_version }}"
  loop:  ['icmp', 'icmpv6']

- name: Allow Ping Out
  ansible.builtin.iptables:
    chain: OUTPUT
    protocol: "{{ item }}"
    jump: ACCEPT
    ip_version: "{{ ip_version }}"
  loop:  ['icmp', 'icmpv6']

- name: Allow Dns Out
  ansible.builtin.iptables:
    chain: OUTPUT
    protocol: "{{ item }}"
    destination_port: 53
    jump: ACCEPT
    ip_version: "{{ ip_version }}"
  loop:  ['tcp', 'udp']

- name: Allow Ntp Out
  ansible.builtin.iptables:
    chain: OUTPUT
    protocol: 'udp'
    destination_port: 123
    jump: ACCEPT
    ip_version: "{{ ip_version }}"

- name: Allow Ssh In
  ansible.builtin.iptables:
    chain: INPUT
    protocol: 'tcp'
    destination_port: "{{ iptables_host_ssh_port }}"
    jump: ACCEPT
    ip_version: "{{ ip_version }}"