Awesome Open Source
Awesome Open Source

Ansible Role: Firewall (iptables)

CI

Installs an iptables-based firewall for Linux. Supports both IPv4 (iptables) and IPv6 (ip6tables).

This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of iptables and/or firewalls in general, this role should be a good starting point for a secure system firewall.

After the role is run, a firewall init service will be available on the server. You can use service firewall [start|stop|restart|status] to control the firewall.

Requirements

None.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

firewall_state: started
firewall_enabled_at_boot: true

Controls the state of the firewall service; whether it should be running (firewall_state) and/or enabled on system boot (firewall_enabled_at_boot).

firewall_flush_rules_and_chains: true

Whether to flush all rules and chains whenever the firewall is restarted. Set this to false if there are other processes managing iptables (e.g. Docker).

firewall_allowed_tcp_ports:
  - "22"
  - "80"
  ...
firewall_allowed_udp_ports: []

A list of TCP or UDP ports (respectively) to open to incoming traffic.

firewall_forwarded_tcp_ports:
  - { src: "22", dest: "2222" }
  - { src: "80", dest: "8080" }
firewall_forwarded_udp_ports: []

Forward src port to dest port, either TCP or UDP (respectively).

firewall_additional_rules: []
firewall_ip6_additional_rules: []

Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. iptables [rule]/ip6tables [rule]). A few examples of how this could be used:

# Allow only the IP 167.89.89.18 to access port 4949 (Munin).
firewall_additional_rules:
  - "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT"

# Allow only the IP 214.192.48.21 to access port 3306 (MySQL).
firewall_additional_rules:
  - "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT"

See Iptables Essentials: Common Firewall Rules and Commands for more examples.

firewall_log_dropped_packets: true

Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: ").

firewall_disable_firewalld: false
firewall_disable_ufw: false

Set to true to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively.

firewall_enable_ipv6: true

Set to false to disable configuration of ip6tables (for example, if your GRUB_CMDLINE_LINUX contains ipv6.disable=1).

Dependencies

None.

Example Playbook

- hosts: server
  vars_files:
    - vars/main.yml
  roles:
    - { role: geerlingguy.firewall }

Inside vars/main.yml:

firewall_allowed_tcp_ports:
  - "22"
  - "25"
  - "80"

TODO

  • Make outgoing ports more configurable.
  • Make other firewall features (like logging) configurable.

License

MIT / BSD

Author Information

This role was created in 2014 by Jeff Geerling, author of Ansible for DevOps.


Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Shell (232,728
Linux (16,549
Security (8,738
Ansible (6,821
Ubuntu (3,350
Debian (1,969
Centos (759
Firewall (620
Role (590
Fedora (500
Rules (390
Iptables (340
Rhel (145
Related Projects