refactor(ansible): prefer iptables module

ansible/inventory.ini

@@ -1,2 +1,2 @@
 [ovh]
-ovh1 ansible_host=5.39.72.167 ansible_port=7511 ansible_user=ubuntu
+ovh1 ansible_host=5.39.72.167 ansible_port=7511 ansible_user=ubuntu firewall_ports=80,443,6443,7511

ansible/system_basics.yaml

@@ -41,32 +41,14 @@
     command: sshd -t
     changed_when: false
 
-  - name: Create iptables rules file
+  - name: Open firewall ports
-    copy:
+    iptables:
-      dest: /etc/iptables.rules
+      chain: INPUT
-      content: |
+      protocol: tcp
-        *filter
+      destination_port: "{{ item }}"
-        :INPUT DROP [0:0]
+      jump: ACCEPT
-        :FORWARD DROP [0:0]
+      state: present
-        :OUTPUT ACCEPT [0:0]
+    loop: "{{ firewall_ports }}"
-        -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-        -A INPUT -p tcp --dport 80 -j ACCEPT
-        -A INPUT -p tcp --dport 443 -j ACCEPT
-        -A INPUT -p tcp --dport 7511 -j ACCEPT
-        -A INPUT -i lo -j ACCEPT
-        COMMIT
-
-  - name: Apply iptables rules
-    shell: iptables-restore < /etc/iptables.rules
-    changed_when: false
-
-  - name: Ensure iptables rules are loaded on boot (Debian/Ubuntu)
-    copy:
-      dest: /etc/network/if-pre-up.d/iptablesload
-      content: |
-        #!/bin/sh
-        iptables-restore < /etc/iptables.rules
-      mode: '0755'
 
   - name: Ensure fail2ban is started and enabled
     service: