From 5e916ca510e01a4a13424dc4bf69a1f4dc043649 Mon Sep 17 00:00:00 2001
From: "Daniel A. Maierhofer" <git@damadmai.at>
Date: Sun, 4 Nov 2018 21:21:36 +0100
Subject: [PATCH] iptables: drop instead accept all but SSH

---
 templates/iptables_default_v4.j2 | 11 +++++++++--
 templates/iptables_default_v6.j2 |  9 +++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/templates/iptables_default_v4.j2 b/templates/iptables_default_v4.j2
index 72b9469..b7efa99 100644
--- a/templates/iptables_default_v4.j2
+++ b/templates/iptables_default_v4.j2
@@ -1,7 +1,14 @@
 # {{ ansible_managed }}
 
 *filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
 COMMIT
diff --git a/templates/iptables_default_v6.j2 b/templates/iptables_default_v6.j2
index 72b9469..d2927b5 100644
--- a/templates/iptables_default_v6.j2
+++ b/templates/iptables_default_v6.j2
@@ -1,7 +1,12 @@
 # {{ ansible_managed }}
 
 *filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp --syn -j DROP
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
 COMMIT