geerlingguy.firewall

Panoramica Versioni Approfondimenti

Ansible Role: Firewall (iptables)

This role sets up a simple firewall for Linux using iptables, which works for both IPv4 (iptables) and IPv6 (ip6tables).

The firewall is straightforward and only allows a few specific ports for incoming connections. You can customize which ports to open using Ansible variables. If you have basic knowledge of iptables or firewalls, this role is a great start for securing your system.

After running this role, a firewall service will be available on the server. You can control it with the command service firewall [start|stop|restart|status].

Requirements

None.

Role Variables

Here are the available variables with their default values (found in defaults/main.yml):

firewall_state: started
firewall_enabled_at_boot: true

These control whether the firewall service is running (firewall_state) and if it starts automatically when the system boots (firewall_enabled_at_boot).

firewall_flush_rules_and_chains: true

This decides if all rules and chains should be cleared every time the firewall restarts. Set to false if other tools (like Docker) manage iptables.

firewall_template: firewall.bash.j2

This specifies the template for generating the firewall rules.

firewall_allowed_tcp_ports:
  - "22"
  - "80"
firewall_allowed_udp_ports: []

This is the list of TCP or UDP ports to allow incoming traffic.

firewall_forwarded_tcp_ports:
  - { src: "22", dest: "2222" }
  - { src: "80", dest: "8080" }
firewall_forwarded_udp_ports: []

This forwards a source (src) port to a destination (dest) port for TCP or UDP.

firewall_additional_rules: []
firewall_ip6_additional_rules: []

This allows you to add extra custom rules to the firewall. For example:

# Only allow IP 167.89.89.18 to access port 4949 (Munin).
firewall_additional_rules:
  - "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT"

# Only allow IP 214.192.48.21 to access port 3306 (MySQL).
firewall_additional_rules:
  - "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT"

Check out Iptables Essentials: Common Firewall Rules and Commands for more examples.

firewall_log_dropped_packets: true

This logs any dropped packets to syslog with a message starting with "Dropped by firewall: ".

firewall_disable_firewalld: false
firewall_disable_ufw: false

Set these to true to disable firewalld (default on RHEL/CentOS) or ufw (default on Ubuntu).

firewall_enable_ipv6: true

Set to false to stop configuring ip6tables (for example, if your GRUB_CMDLINE_LINUX has ipv6.disable=1).

Dependencies

None.

Example Playbook

- hosts: server
  vars_files:
    - vars/main.yml
  roles:
    - { role: geerlingguy.firewall }

In vars/main.yml:

firewall_allowed_tcp_ports:
  - "22"
  - "25"
  - "80"

License

MIT / BSD

Author Information

This role was created in 2014 by Jeff Geerling, the author of Ansible for DevOps.

Informazioni sul progetto

Simple iptables firewall for most Unix-like systems.

role firewall iptables networking security system tcp
Installa
ansible-galaxy install geerlingguy.firewall
GitHub repository
553 stelle
227 fork
6 problemi aperti
Licenza
mit
Download
1.2M
Proprietario
Jeff Geerling
Father, author, developer, maker. Sometimes called "an inflammatory enigma". #stl #drupal #ansible #k8s #raspberrypi #crohns