fix(firewall_alpine): replace empty iptables ruleset with proper INPUT filtering

The rules.v4.j2 template deployed a ruleset with INPUT ACCEPT and zero
custom rules — effectively a no-op. nuremberg-a is a public-facing mail
server and needs actual filtering.

Changes:
- INPUT default policy set to DROP
- Allow loopback, established/related, Tailscale interface, SSH, ICMP
- FORWARD stays ACCEPT for Docker port-forwarding
- Added firewall_alpine_extra_input_rules variable for host-specific rules

Mail ports remain handled by Docker's FORWARD chain, not INPUT.

Closes PESO-119

ansible/roles/firewall_alpine/templates/rules.v4.j2

@@ -2,13 +2,32 @@
 # iptables rules for {{ inventory_hostname }}
 #
 # Docker and Tailscale manage their own chains automatically.
-# This file captures non-Docker, non-Tailscale rules only.
+# This file captures non-Docker, non-Tailscale INPUT rules only.
 #
 # Mail ports (25,80,110,143,443,465,587,993,995) are exposed via
-# Docker port mappings in the poste-io docker-compose.yml — not here.
+# Docker port mappings — traffic goes through FORWARD, not INPUT.
 
 *filter
-:INPUT ACCEPT [0:0]
+:INPUT DROP [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
+
+# Allow loopback
+-A INPUT -i lo -j ACCEPT
+
+# Allow established and related connections
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# Allow all traffic on Tailscale interface
+-A INPUT -i tailscale0 -j ACCEPT
+
+# Allow SSH (public access — fail2ban provides brute-force protection)
+-A INPUT -p tcp --dport 22 -j ACCEPT
+
+# Allow ICMP (ping)
+-A INPUT -p icmp -j ACCEPT
+
+{% for rule in firewall_alpine_extra_input_rules | default([]) %}
+{{ rule }}
+{% endfor %}
 COMMIT