Ferm / iptables Management

• Github:

This role manages iptables using a tool called ferm.

Since it's difficult to create a one-size-fits-all template for iptables, this role takes user-defined ferm configuration snippets and uses them to create the ruleset for iptables on the server.

Requirements

• ansible: 2.1 or higher
• Redhat/CentOS: EPEL repository
• Ubuntu: multiverse repository

Role Variables

OS-Specific Variables

Some variables depend on the operating system. These are located in vars/os-<OS>.yml files.

General Variables

• ferm_directory: The directory for ferm configuration, default is /etc/ferm
• ferm_service_state: Determines if the ferm service should be started
• ferm_service_enabled: Determines if the ferm service should run at boot

Firewall Rules

• ferm_rules_directory: The location where firewall rules files are stored, default is the playbook templates directory
• ferm_net_mngt: List of management networks, defaults to allowing any connection
• ferm_domains: Which IP version to generate rules for, defaults to IPv4 and IPv6
• ferm_rules: List of rules to apply. Default only allows SSH and ICMP connections

You can use ferm’s templating engine to generate rules for both IPv4 and IPv6. While it's still your responsibility to write the rules, you will have full control over them.

Example

Host/Group Variables

ferm_rules_directory: {{ playbook_dir }}/files/ferm

ferm_rules:
  - vars
  - default_rules
  - connection_tracking
  - input_icmp
  - management
  - service_zabbix-agent

In this example, you need to create the following files:

• {{ playbook_dir }}/files/ferm/rules/vars.conf.j2
• {{ playbook_dir }}/files/ferm/rules/default_rules.conf.j2
• ...

Make sure to adjust the ferm_rules in group_var or host_vars for each group or server as needed.

Playbook

For example, you could define the ferm variables in your group_vars/all like this:

- hosts: ferm
  roles:
     - hudecof.ferm

Dependencies

None

License

BSD

Author Information

Peter Hudec