try to fix fs rules

2018-07-11 22:57:06 +02:00 · 2018-07-11 22:57:06 +02:00 · 87bd5e410e
parent 5b10fc8319
commit 87bd5e410e
2 changed files with 9 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -17,11 +17,11 @@ unifi_tmp_dir: "{{ unifi_base_dir }}/tmp"

 unifi_iptables_enabled: True
 unifi_open_ports:
-  - { flag: "allow_unifi_web", proto: "tcp", port: "8443" }
-  - { flag: "allow_unifi", proto: "tcp", port: "8080" }
+  - { flag: "allow_unifi_web", direction: "input", proto: "tcp", port: "8443" }
+  - { flag: "allow_unifi", direction: "input", proto: "tcp", port: "8080" }
+  - { flag: "allow_unifi", direction: "output", proto: "tcp", port: "8080" }
  # - { flag: "allow_unifi", proto: "tcp", port: "8880" }
  # - { flag: "allow_unifi", proto: "tcp", port: "8843" }
-  - { flag: "allow_unifi_speedtest", proto: "tcp", port: "6789" }
-  - { flag: "allow_unifi", proto: "tcp", port: "8843" }
-  - { flag: "allow_unifi_stun", proto: "udp", port: "3478" }
-  - { flag: "allow_unifi_discover", proto: "udp", port: "10001" }
+  - { flag: "allow_unifi_speedtest", direction: "output", proto: "tcp", port: "6789" }
+  - { flag: "allow_unifi_stun", direction: "output", proto: "udp", port: "3478" }
+  - { flag: "allow_unifi_discover", direction: "output", proto: "udp", port: "10001" }
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -47,8 +47,10 @@
    iptables_raw:
      name: "{{ item.flag }}"
      state: present
-      rules: "-A INPUT -m state --state NEW -p {{ item.proto }} --dport {{ item.port }} -j ACCEPT"
+      rules: "-A {{ item.direction | upper }} -m state --state NEW -p {{ item.proto » lower }} --dport {{ item.port }} -j ACCEPT"
    with_items: "{{ unifi_open_ports }}"
+    loop_control:
+      label: "{{ item.flag }}"
    when: unifi_iptables_enabled

  - name: Create systemd unit files