Firewall

Role of the Firewall

Default Variables

Configuration

You can use either the configure_firewalld or configure_iptables variables to decide which service to set up. Choose only one of them.

IPTables Usage

This rule redirects traffic from port 80 to port 8080:

iptables_rules:

  - table: nat
    chain: PREROUTING
    in_interface: {{ ansible_default_ipv4.alias }}
    protocol: tcp
    match: tcp
    destination_port: 80
    jump: REDIRECT
    to_ports: 8080
    comment: "Redirect port 80 to 8080"

This rule allows all established and related connections, helping to reduce filtering delays. The ctstate variable needs a list of states.

iptables_rules:

  - chain: INPUT
    ctstate:
      - ESTABLISHED
      - RELATED
    jump: ACCEPT

These rules allow SSH connections from the IP ranges 192.168/16 and 10.0/8.

iptables_rules:

  - chain: INPUT
    ctstate:
      - NEW
    protocol: tcp
    source: '10.0.0.0/8'
    table: filter
    destination_port: '22'
    jump: ACCEPT

  - chain: INPUT
    ctstate:
      - NEW
    protocol: tcp
    source: '192.168.0.0/16'
    table: filter
    destination_port: '22'
    jump: ACCEPT

Firewalld Usage

These settings will configure the firewalld service to allow SSH connections from the IP ranges 192.168/16 and 10.0/8:

firewalld_default_zone: public
firewalld_zone_interface: []
firewalld_zone_source:
  - zone: work
    source: 10.0.0.0/8
  - zone: work
    source: 192.168.0.0/16
firewalld_service_rules:
  - zone: work
    service: ssh
firewalld_port_rules: []
firewalld_rich_rules: []

You can also enable or disable any zones, interfaces, services, ports, or rich rules as needed.

Handlers

Handlers