iptables: rules for TFTP.

2021-12-24 12:28:00 +01:00 · 2021-12-24 12:28:00 +01:00 · 47934353bb
parent c10eb540eb
commit 47934353bb
2 changed files with 20 additions and 0 deletions
--- a/tasks/plain-iptables.yml
+++ b/tasks/plain-iptables.yml
@ -39,6 +39,18 @@
      - ansible_distribution_major_version >= '16'
    register: install_netfilter_rules

+  - name: Load the nf_conntrack_ftp module when FTP is enabled
+    ansible.builtin.modprobe:
+      name: nf_conntrack_ftp
+      state: present
+    when: vsftpd_iptables_rules is defined and vsftpd_iptables_rules
+
+  - name: Load the nf_conntrack_tftp module when TFTP is enabled
+    ansible.builtin.modprobe:
+      name: nf_conntrack_tftp
+      state: present
+    when: tftp_server_iptables_rules is defined and tftp_server_iptables_rules
+
  - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
    service: name=iptables-persistent state=restarted enabled=yes
    register: restart_related_t
--- a/templates/iptables-rules.v4.j2
+++ b/templates/iptables-rules.v4.j2
@ -233,6 +233,14 @@
 -A INPUT -m helper --helper ftp -j ACCEPT
 {% endif %}
 {% endif %}
+{% if tftp_server_iptables_rules is defined and tftp_server_iptables_rules %}
+# TFTP service
+{% for ip in tftp_server_iptables_allowed %}
+-A INPUT -m state --state NEW -p udp -s {{ ip }} --dport tftp -j ACCEPT
+-A INPUT -m state --state ESTABLISHED,RELATED -p udp -s {{ ip }} -j ACCEPT
+{% endfor %}
+-A INPUT -m helper --helper tftp -j ACCEPT
+{% endif %}
 #
 # TODO: add the rules that block traffic from now on
 #