another iptables fix

2018-07-12 00:48:14 +02:00 · 2018-07-12 00:48:14 +02:00 · 316b3f2d39
commit 316b3f2d39
parent fe28ebdbf3
2 changed files with 31 additions and 16 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -18,16 +18,26 @@ unifi_tmp_dir: "{{ unifi_base_dir }}/tmp"

 unifi_iptables_enabled: True
 unifi_open_ports:
-  # unifi webinterface
-  - "-A INPUT -m state --state NEW -p 8443 --dport tcp -j ACCEPT"
-  # unifi client server communication
-  - "-A INPUT -m state --state NEW -p 8080 --dport tcp -j ACCEPT"
-  - "-A OUTPUT -m state --state NEW -p 8080 --dport tcp -j ACCEPT"
-  # unifi speedtest
-  - "-A OUTPUT -m state --state NEW -p 6789 --dport tcp -j ACCEPT"
-  # unifi stun
-  - "-A INPUT -m state --state NEW -p 3478 --dport udp -j ACCEPT"
-  - "-A OUTPUT -m state --state NEW -p 3478 --dport udp -j ACCEPT"
-  # ap discovery
-  - "-A INPUT -m state --state NEW -p 10001 --dport udp -j ACCEPT"
-  - "-A OUTPUT -m state --state NEW -p 10001 --dport udp -j ACCEPT"
+  - name: allow_unifi_web
+    rules: |
+      -A INPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT
+    state: present
+  - name: allow_unifi_comm
+    rules: |
+      -A INPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
+      -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
+    state: present
+  - name: allow_unifi_stun
+    rules: |
+      -A INPUT -m state --state NEW -p udp --dport 3478 -j ACCEPT
+      -A OUTPUT -m state --state NEW -p udp --dport 3478 -j ACCEPT
+    state: present
+  - name: allow_unifi_discover
+    rules: |
+      -A INPUT -m state --state NEW -p udp --dport 10001 -j ACCEPT
+      -A OUTPUT -m state --state NEW -p udp --dport 10001 -j ACCEPT
+    state: present
+  - name: allow_unifi_sped
+    rules: |
+      -A INPUT -m state --state NEW -p tcp --dport 6789 -j ACCEPT
+    state: present
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -62,9 +62,14 @@
 - block:
  - name: Open ports in iptables
    iptables_raw:
-      name: "allow_unifi"
-      state: present
-      rules: "{{ unifi_open_ports }}"
+      name: "{{ item.name }}"
+      rules: "{{ item.rules }}"
+      state: "{{ item.state }}"
+      weight: "{{ item.weight|default(omit) }}"
+      table: "{{ item.table|default(omit) }}"
+    with_items: "{{ unifi_open_ports }}"
+    loop_control:
+      label: "{{item.name}}"
    when: unifi_iptables_enabled

  - name: Create systemd unit files