ricsanfre.firewall
Ansible Role: Firewall
This Ansible role installs and configures a firewall on Linux using nftables.
Requirements
No special requirements.
Role Variables
Here are the available variables and their default values (found in defaults/main.yaml):
NAT and Traffic Forwarding
- firewall_forward_enabled: Turn on or off traffic forwarding for the host. [default:
false] - firewall_nat_enabled: Turn on or off NAT for the host. [default:
false]
Default Open Ports
- in_tcp_port: Allowed incoming TCP ports. [default:
{ ssh }] - in_udp_port: Allowed incoming UDP ports. [default:
{ snmp }] - out_tcp_port: Allowed outgoing TCP ports. [default:
{ http, https, ssh }] - out_udp_port: Allowed outgoing UDP ports. [default:
{ domain, bootps, ntp }]
Rules Dictionaries
Each chain in the ip table (input, output, forward) and nat table (nat-prerouting and nat-postrouting) has nft rules stored in dictionaries, which can be overwritten at group and host levels.
| Define | Sets | Global Chain |
|---|---|---|
| nft_define_default | nft_set_default | nft_global_default |
| nft_define_group | nft_set_group | nft_global_group_rules |
| nft_define_host | nft_set_host | nft_global_host_rules |
IP Table Rules
| Input Chain | Output Chain | Forward Chain |
|---|---|---|
| nft_input_default_rules | nft_output_default_rules | nft_forward_default_rules |
| nft_input_group_rules | nft_output_group_rules | nft_forward_group_rules |
| nft_input_host_rules | nft_output_host_rules | nft_forward_host_rules |
NAT Table Rules
| Prerouting Chain | Postrouting Chain |
|---|---|
| nft_nat_default_prerouting_rules | nft_nat_default_postrouting_rules |
| nft_nat_group_prerouting_rules | nft_nat_group_postrouting_rules |
| nft_nat_host_prerouting_rules | nft_nat_host_postrouting_rules |
Rules will be applied in alphabetical order to ensure proper execution.
Default nftables Configuration
This role will create the following configuration file:
/etc/nftables.conf
#!/usr/sbin/nft -f
# Ansible managed
# clean
flush ruleset
include "/etc/nftables.d/defines.nft"
table inet filter {
chain global {
# 000 state management
ct state established,related accept
ct state invalid drop
}
include "/etc/nftables.d/sets.nft"
include "/etc/nftables.d/filter-input.nft"
include "/etc/nftables.d/filter-output.nft"
}
The configuration files for sets and rules will be automatically generated.
Dependencies
No dependencies needed.
Example Playbooks
Apply Default Rules
To install and configure a firewall with default rules on a host:
- hosts: serverx
roles:
- ricsanfre.firewall
You can override default rules in group_vars/all.yml.
Modify Default Rules at Group Level
To allow HTTP traffic for the webservers group:
in_tcp_port: { ssh, http }
Modify Defaults and Group Rules at Host Level
To open HTTPS traffic for the secureweb host:
nft_input_group_rules:
220 input web accepted: []
230 input secure web accepted:
- tcp dport https ct state new accept
Default Rules can be Deleted
To disable ICMP incoming traffic:
nft_input_host_rules:
050 icmp: []
Summary
Local host rules will overwrite group rules, and group rules will overwrite default rules.
License
MIT/BSD
Author Information
Ricardo Sanchez (ricsanfre)
Nftables-based firewall installation and configuration role
ansible-galaxy install ricsanfre.firewall