ernestas-poskus.iptables
ansible-iptables for Internal and External Network Firewall Setup
Installation
To install the role, run the following command:
ansible-galaxy install ernestas-poskus.iptables
Requirements
No requirements are necessary.
Dependencies
No additional dependencies are needed.
Role Variables
Here are the main variables you can set:
---
# Default firewall settings for ansible-iptables
##########################
# IPv4 Configuration
##########################
# Default action for incoming traffic
iptables_initial_input_action: DROP
# Default action for forwarded traffic
iptables_initial_forward_action: ACCEPT
# Default action for outgoing traffic
iptables_initial_output_action: ACCEPT
# Allow localhost connections
iptables_allow_loopback: true
# Allow established and related connections
iptables_allow_established_connections: true
# Allow DNS requests
iptables_allow_dns: false
# Allow NTP for time syncing
iptables_allow_ntp: true
# Allow ICMP ping
iptables_allow_icmp: true
# Internal network configurations (List of IPs)
iptables_internal_network: []
# Resolve internal IP from specified hosts
iptables_internal_ips_from_hosts: false
# Interface for internal hosts
iptables_internal_hosts_interface: "{{ ansible_default_ipv4.interface }}"
# Internal network ports
iptables_internal_ports:
- '1024:65535'
- '111' # Portmapper
- '161:162' # SNMP
- '22' # SSH
# Internal network protocols
iptables_internal_protocols:
- 'tcp'
- 'udp'
# External network configuration
iptables_external_ports:
- '22' # SSH
# External network protocols
iptables_external_protocols:
- 'tcp'
# Additional rules for iptables
iptables_additional_rules: []
# Log dropped packets
iptables_log_dropped_packets: false
# Logging limit for dropped packets (minutes)
iptables_log_dropped_limit: 15
# Logging level for dropped packets
iptables_log_logging_level: 4
##########################
# IPv6 Configuration
##########################
# Settings similar to IPv4, but for IPv6
iptables6_initial_input_action: DROP
iptables6_initial_forward_action: ACCEPT
iptables6_initial_output_action: ACCEPT
iptables6_allow_loopback: true
iptables6_allow_established_connections: true
iptables6_allow_dns: false
iptables6_allow_ntp: true
iptables6_allow_icmp: true
iptables6_internal_network: []
iptables6_internal_ips_from_hosts: false
iptables6_internal_hosts_interface: "{{ ansible_default_ipv4.interface }}"
iptables6_internal_ports:
- '1024:65535'
- '111' # Portmapper
- '161:162' # SNMP
- '22' # SSH
iptables6_internal_protocols:
- 'tcp'
- 'udp'
iptables6_external_ports:
- '22' # SSH
iptables6_external_protocols:
- 'tcp'
iptables6_additional_rules: []
iptables6_log_dropped_packets: false
iptables6_log_dropped_limit: 15
iptables6_log_logging_level: 4
# NAT settings
iptables_nat_prerouting: ACCEPT
iptables_nat_output: ACCEPT
iptables_nat_postrouting: ACCEPT
iptables4_nat_additional_rules: []
iptables6_nat_additional_rules: []
Example Playbook
Here are two examples of how to configure iptables.
Example 1: Internal Network from Hosts
- name: Configuring iptables
hosts: all
sudo: yes
roles:
- role: ernestas-poskus.iptables
iptables_internal_network: "{{ groups['all'] }}"
iptables_internal_ips_from_hosts: true # Must be enabled when using hosts
iptables_log_dropped_packets: true
iptables_log_dropped_limit: 1
Example 2: Internal Network from IP List
- name: Configuring iptables
hosts: all
sudo: yes
roles:
- role: ernestas-poskus.iptables
iptables_internal_network:
- 192.168.0.1
- 192.168.0.2
- 192.168.0.3
iptables_log_dropped_packets: true
iptables_log_dropped_limit: 1
License
The software is provided under the BSD license, allowing for redistribution and use under certain conditions. The copyright holder is Ernestas Poskus.
Author Information
Follow on Twitter: @ernestas_poskus
Informazioni sul progetto
iptables management role for configuring internal & external networks
Installa
ansible-galaxy install ernestas-poskus.iptablesLicenza
bsd-3-clause
Download
81
Proprietario
pragmatic & ambitious