ansible_role_iptables
ansible-role-iptables
iptables role to install and configure iptables on Linux
Ansible Role: iptables
An Ansible role that installs iptables and configures it. It is basically written for RHEL/CentOS but can be ported to other distributions.
Table of Contents
Description
This role will remove firewalld and install iptables and ensure it is enabled and started. The configuration is based on a restrictive firewall design which blocks most traffic by default. Be carefull when using it the first time! With the default Jinja2 Template only the Chains INPUT FORWARD and OUTPUT are used in the filter table. If the docker boolean may be used there will be also a DOCKER Chain in the tables filter and nat.
Requirements
- Ansible 2+
Role Variables
Basic Variables
Variables with defaults:
iptables_public_interface: eth0
iptables_template: 'iptables.j2'
iptables_tcp_rules:
- destinationport: 22
sourceaddress: '0.0.0.0/0'
comment: 'SSH from everywhere'
iptables_udp_rules:
- destinationport: 123
sourceaddress: '0.0.0.0/0'
comment: 'NTP from everywhere'
These are empty by default, you can set a allow all interconnect interface based on 10.10.20.0/24 network by defining a interface name with iptables_interconnect_interface
and if you have docker on your host you will need some extra rules which can be enabled using the host_use_docker
variable:
iptables_interconnect_interface: 'eth1'
iptables_interconnect_range: '10.10.10.0/24'
host_use_docker: 'true'
TCP Rules
Every exception in tcp can be added by listing each rule like this:
iptables_tcp_rules:
- destinationport: 80
sourceaddress: '1.2.3.0/24'
comment: 'HTTP from 1.2.3.0 network'
- destinationport: 443
sourceaddress: '1.2.3.0/24'
comment: 'HTTPS from 1.2.3.0 network'
- destinationport: 5666
sourceaddress: '1.2.3.4'
comment: 'NRPE communication from nagios server'
UDP Rules
Same for udp:
iptables_udp_rules:
- destinationport: 53
sourceaddress: '1.2.3.0/24'
comment: 'DNS from 1.2.3.0 network'
- destinationport: 67
sourceaddress: '1.2.3.4'
comment: 'DHCP client from 1.2.3.4 host'
Dependencies
None.
Example Playbook
Add to requirements.yml
:
---
- src: sloan87.iptables
...
Download:
$ ansible-galaxy install -r requirements.yml
Top-Level Playbook
Write a top-level playbook:
---
- name: worker server
hosts: worker
roles:
- role: sloan87.iptables
tags:
- firewall
- iptables
- network
- security
...
Role Dependency
Define the role dependency in meta/main.yml
:
---
dependencies:
- role: sloan87.iptables
tags:
- firewall
- iptables
- network
- security
...
License
MIT
Author Information
This role was created in 2017 by Ben Langenberg sloan87 at GitHub, HPC cluster systems administrator at the Helmholtz-Centre for Environmental Research GmbH - UFZ, role skel based on a draft by Christian Krause aka wookietreiber at GitHub.
removes firewalld and install iptables and configure it
ansible-galaxy install DirectorSloan/ansible-role-iptables