{"id":13540151,"url":"https://github.com/geerlingguy/ansible-role-firewall","last_synced_at":"2025-04-14T08:52:30.086Z","repository":{"id":14671314,"uuid":"17390170","full_name":"geerlingguy/ansible-role-firewall","owner":"geerlingguy","description":"Ansible Role - iptables Firewall configuration.","archived":false,"fork":false,"pushed_at":"2025-01-31T03:25:06.000Z","size":87,"stargazers_count":552,"open_issues_count":6,"forks_count":226,"subscribers_count":32,"default_branch":"master","last_synced_at":"2025-04-07T01:09:08.508Z","etag":null,"topics":["ansible","centos","debian","fedora","firewall","iptables","linux","rhel","role","rules","security","ubuntu"],"latest_commit_sha":null,"homepage":"https://galaxy.ansible.com/geerlingguy/firewall/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/geerlingguy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"geerlingguy","patreon":"geerlingguy"}},"created_at":"2014-03-04T04:19:37.000Z","updated_at":"2025-04-06T21:36:28.000Z","dependencies_parsed_at":"2024-01-14T16:11:02.558Z","dependency_job_id":"7e018986-af08-486b-a7d9-c1d068fce8eb","html_url":"https://github.com/geerlingguy/ansible-role-firewall","commit_stats":null,"previous_names":[],"tags_count":33,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geerlingguy%2Fansible-role-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geerlingguy%2Fansible-role-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geerlingguy%2Fansible-role-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geerlingguy%2Fansible-role-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/geerlingguy","download_url":"https://codeload.github.com/geerlingguy/ansible-role-firewall/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248852078,"owners_count":21171838,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","centos","debian","fedora","firewall","iptables","linux","rhel","role","rules","security","ubuntu"],"created_at":"2024-08-01T09:01:41.479Z","updated_at":"2025-04-14T08:52:30.064Z","avatar_url":"https://github.com/geerlingguy.png","language":"Shell","funding_links":["https://github.com/sponsors/geerlingguy","https://patreon.com/geerlingguy"],"categories":["Shell","\u003ca id=\"0abd611fc3e9a4d9744865ca6e47a6b2\"\u003e\u003c/a\u003e工具","ubuntu","Security"],"sub_categories":["\u003ca id=\"ce6532938f729d4c9d66a5c75d1676d3\"\u003e\u003c/a\u003e防火墙\u0026\u0026FireWall","Caching"],"readme":"# Ansible Role: Firewall (iptables)\n\n[![CI](https://github.com/geerlingguy/ansible-role-firewall/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-firewall/actions/workflows/ci.yml)\n\nInstalls an iptables-based firewall for Linux. Supports both IPv4 (`iptables`) and IPv6 (`ip6tables`).\n\nThis firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall.\n\nAfter the role is run, a `firewall` init service will be available on the server. You can use `service firewall [start|stop|restart|status]` to control the firewall.\n\n## Requirements\n\nNone.\n\n## Role Variables\n\nAvailable variables are listed below, along with default values (see `defaults/main.yml`):\n\n```yaml\nfirewall_state: started\nfirewall_enabled_at_boot: true\n```\n\nControls the state of the firewall service; whether it should be running (`firewall_state`) and/or enabled on system boot (`firewall_enabled_at_boot`).\n\n```yaml\nfirewall_flush_rules_and_chains: true\n```\n\nWhether to flush all rules and chains whenever the firewall is restarted. Set this to `false` if there are other processes managing iptables (e.g. Docker).\n\n```yaml\nfirewall_template: firewall.bash.j2\n```\n\nThe template to use when generating firewall rules.\n\n```yaml\nfirewall_allowed_tcp_ports:\n  - \"22\"\n  - \"80\"\n  ...\nfirewall_allowed_udp_ports: []\n```\n\nA list of TCP or UDP ports (respectively) to open to incoming traffic.\n\n```yaml\nfirewall_forwarded_tcp_ports:\n  - { src: \"22\", dest: \"2222\" }\n  - { src: \"80\", dest: \"8080\" }\nfirewall_forwarded_udp_ports: []\n```\n\nForward `src` port to `dest` port, either TCP or UDP (respectively).\n\n```yaml\nfirewall_additional_rules: []\nfirewall_ip6_additional_rules: []\n```\n\nAny additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`/`ip6tables [rule]`). A few examples of how this could be used:\n\n```yaml\n# Allow only the IP 167.89.89.18 to access port 4949 (Munin).\nfirewall_additional_rules:\n  - \"iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT\"\n\n# Allow only the IP 214.192.48.21 to access port 3306 (MySQL).\nfirewall_additional_rules:\n  - \"iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT\"\n```\n\nSee [Iptables Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) for more examples.\n\n```yaml\nfirewall_log_dropped_packets: true\n```\n\nWhether to log dropped packets to syslog (messages will be prefixed with \"Dropped by firewall: \").\n\n```yaml\nfirewall_disable_firewalld: false\nfirewall_disable_ufw: false\n```\n\nSet to `true` to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively.\n\n```yaml\nfirewall_enable_ipv6: true\n```\n\nSet to `false` to disable configuration of ip6tables (for example, if your `GRUB_CMDLINE_LINUX` contains `ipv6.disable=1`).\n\n## Dependencies\n\nNone.\n\n## Example Playbook\n\n```yaml\n- hosts: server\n  vars_files:\n    - vars/main.yml\n  roles:\n    - { role: geerlingguy.firewall }\n```\n\n*Inside `vars/main.yml`*:\n\n```yaml\nfirewall_allowed_tcp_ports:\n  - \"22\"\n  - \"25\"\n  - \"80\"\n```\n\n## License\n\nMIT / BSD\n\n## Author Information\n\nThis role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgeerlingguy%2Fansible-role-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgeerlingguy%2Fansible-role-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgeerlingguy%2Fansible-role-firewall/lists"}