iptables_dir: /etc/iptables
iptables_file: "{{ (iptables_dir, 'rules-save' if ansible_distribution == 'Alpine' else 'rules.v4') | path_join }}"

iptables_mappings:
  state: { module: 'state', param: 'state', upper: yes, join: ',' }
  action: { param: 'j', upper: yes }
  protocol: { param: 'p', lower: yes }
  icmp_type: { module: 'icmp', param: 'icmp-type' }
  in_intf: { param: 'i' }
  out_intf: { param: 'o' }
  src_addr: { param: 's', join: ',' }
  dst_addr: { param: 'd', join: ',' }
  src_port: { module: 'multiport', param: 'source-ports' }
  dst_port: { module: 'multiport', param: 'destination-ports' }
  any_port: { module: 'multiport', param: 'ports' }
  ipsec: { module: 'policy', param: 'pol', if_false: 'none', if_true: 'ipsec' }
  ipsec_direction: { module: 'policy', param: 'dir', lower: yes }
  tcp_flags: { param: 'tcp-flags', upper: yes }
  mss: { module: 'tcpmss', param: 'mss' }

  set_mss: { param: 'set-mss' }
  to_source: { param: 'to-source' }


firewall_default_config:
  filter:
    default_policy:
      input: drop
      forward: drop
      output: accept
    input:
      - { state: ['established', 'related'], action: accept }
      - { state: invalid, action: drop }
      - { protocol: icmp, icmp_type: 8, action: accept }
      - { in_intf: lo, action: accept }
      - { not_in_intf: lo, src_addr: '127.0.0.0/8', action: drop }


firewall_ssh_config:
  filter:
    input:
      - "{{ { 'protocol': 'tcp', 'dst_port': 22, 'src_addr': admin_net | d(int_net | d('0.0.0.0/0')), 'action': 'accept' } }}"
      - "{{ { 'protocol': 'tcp', 'dst_port': 22, 'src_addr': hostvars['ansible']['ansible_host'], 'action': 'accept' } if hostvars['ansible'] is defined else None }}"