Role Detail

geerlingguy.firewall

Simple iptables firewall for most Unix-like systems.
Downloads
33761
Type Ansible
Minimum Ansible Version 2.0
Installation $ ansible-galaxy install geerlingguy.firewall
Tags
networking
security
system
Last Commit 2017-07-17 04:53:04 AM UTC
Last Imported 2017-10-20 11:16:11 AM UTC
Version History
Version Release Date
2.3.0 2017-07-17 04:53:04 AM
2.2.2 2017-07-17 04:48:04 AM
2.2.1 2017-04-28 19:34:07 PM
2.2.0 2017-04-02 15:54:03 PM
2.1.2 2017-03-22 04:26:04 AM
2.1.1 2017-03-06 21:31:09 PM
2.1.0 2017-01-22 20:30:08 PM
2.0.2 2017-01-10 19:49:07 PM
2.0.1 2016-12-30 23:40:11 PM
2.0.0 2016-12-09 15:27:03 PM
1.3.1 2016-11-09 15:18:03 PM
1.3.0 2016-11-02 20:05:08 PM
1.2.0 2016-11-02 19:54:07 PM
1.1.0 2016-09-01 01:32:01 AM
1.0.9 2016-01-18 02:48:02 AM
1.0.8 2016-01-12 15:40:03 PM
1.0.7 2016-01-12 15:17:03 PM
1.0.6 2015-05-18 17:57:05 PM
1.0.5 2015-03-02 16:23:04 PM
1.0.4 2015-01-29 04:38:04 AM
1.0.3 2014-05-09 15:17:03 PM
1.0.2 2014-03-27 04:37:04 AM
1.0.1 2014-03-27 04:33:04 AM
1.0.0 2014-03-04 04:32:04 AM
Supported Platforms
Platform Version
Debian etch
Debian jessie
Debian lenny
Debian sid
Debian squeeze
Debian stretch
Debian wheezy
EL 5
EL 6
EL 7
Ubuntu artful
Ubuntu lucid
Ubuntu maverick
Ubuntu natty
Ubuntu oneiric
Ubuntu precise
Ubuntu quantal
Ubuntu raring
Ubuntu saucy
Ubuntu trusty
Ubuntu utopic
Ubuntu vivid
Ubuntu wily
Ubuntu xenial
Ubuntu yakkety
Ubuntu zesty
Last 10 Imports
Completed Status
2017-10-20 11:16:11 AM UTC SUCCESS
2017-07-17 05:20:05 AM UTC SUCCESS
2017-07-17 05:18:05 AM UTC SUCCESS
2017-07-17 05:15:05 AM UTC SUCCESS
2017-07-17 05:01:05 AM UTC SUCCESS
2017-07-17 04:59:04 AM UTC SUCCESS
2017-07-17 04:53:04 AM UTC SUCCESS
2017-07-17 04:49:04 AM UTC SUCCESS
2017-07-11 13:33:01 PM UTC SUCCESS
2017-07-11 13:30:01 PM UTC SUCCESS

Ansible Role: Firewall (iptables)

Build Status

Installs an iptables-based firewall for Linux. Supports both IPv4 (iptables) and IPv6 (ip6tables).

This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of iptables and/or firewalls in general, this role should be a good starting point for a secure system firewall.

After the role is run, a firewall init service will be available on the server. You can use service firewall [start|stop|restart|status] to control the firewall.

Requirements

None.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

firewall_state: started
firewall_enabled_at_boot: true

Controls the state of the firewall service; whether it should be running (firewall_state) and/or enabled on system boot (firewall_enabled_at_boot).

firewall_allowed_tcp_ports:
  - "22"
  - "80"
  ...
firewall_allowed_udp_ports: []

A list of TCP or UDP ports (respectively) to open to incoming traffic.

firewall_forwarded_tcp_ports:
  - { src: "22", dest: "2222" }
  - { src: "80", dest: "8080" }
firewall_forwarded_udp_ports: []

Forward src port to dest port, either TCP or UDP (respectively).

firewall_additional_rules: []
firewall_ip6_additional_rules: []

Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. iptables [rule]/ip6tables [rule]). A few examples of how this could be used:

# Allow only the IP 167.89.89.18 to access port 4949 (Munin).
firewall_additional_rules:
  - "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT"

# Allow only the IP 214.192.48.21 to access port 3306 (MySQL).
firewall_additional_rules:
  - "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT"

See Iptables Essentials: Common Firewall Rules and Commands for more examples.

firewall_log_dropped_packets: true

Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: ").

firewall_disable_firewalld: false
firewall_disable_ufw: false

Set to true to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively.

Dependencies

None.

Example Playbook

- hosts: server
  vars_files:
    - vars/main.yml
  roles:
    - { role: geerlingguy.firewall }

Inside vars/main.yml:

firewall_allowed_tcp_ports:
  - "22"
  - "25"
  - "80"

TODO

  • Make outgoing ports more configurable.
  • Make other firewall features (like logging) configurable.

License

MIT / BSD

Author Information

This role was created in 2014 by Jeff Geerling, author of Ansible for DevOps.

None