# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# loopback allowed
-A INPUT -i lo -j ACCEPT

# Accept ping and traceroute (needs icmp)
-A INPUT -p ipv6-icmp -j ACCEPT

# Established connections allowed
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Established connections allowed
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# if the blocked_ips is defined - drop them
{% if blocked_ip_v6 is defined %}
{% for ip in blocked_ip_v6 %}
-A INPUT -s {{ ip }} -j DROP
{% endfor %}
{% endif %}

# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

# for nrpe (if we want noc02 to be able to get into remote systems)
#-A INPUT -p tcp -m tcp --dport 5666 -s 2600:2701:4000:5211:dead:beef:00fe:fed9 -j ACCEPT

# if the host/group defines incoming tcp_ports - allow them
{% if tcp_ports is defined %}
{% for port in tcp_ports %}
-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}

# if the host/group defines incoming udp_ports - allow them
{% if udp_ports is defined %}
{% for port in udp_ports %}
-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}

# if there are custom6 rules - put them in as-is
{% if custom6_rules is defined %}
{% for rule in custom6_rules %}
{{ rule }}
{% endfor %}
{% endif %}

# otherwise kick everything out
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT