{"id":16709570,"url":"https://github.com/mrlesmithjr/ansible-ipset","last_synced_at":"2025-04-10T05:34:09.985Z","repository":{"id":142637108,"uuid":"117886289","full_name":"mrlesmithjr/ansible-ipset","owner":"mrlesmithjr","description":null,"archived":false,"fork":false,"pushed_at":"2021-04-23T16:59:56.000Z","size":47,"stargazers_count":16,"open_issues_count":1,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-24T06:51:47.678Z","etag":null,"topics":["ansible","ipset","ipset-rules","iptables"],"latest_commit_sha":null,"homepage":null,"language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mrlesmithjr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-17T20:02:14.000Z","updated_at":"2024-05-19T13:57:47.000Z","dependencies_parsed_at":null,"dependency_job_id":"a1f42108-f4d8-4b53-8704-7f8b582f8224","html_url":"https://github.com/mrlesmithjr/ansible-ipset","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrlesmithjr%2Fansible-ipset","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrlesmithjr%2Fansible-ipset/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrlesmithjr%2Fansible-ipset/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrlesmithjr%2Fansible-ipset/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mrlesmithjr","download_url":"https://codeload.github.com/mrlesmithjr/ansible-ipset/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248163337,"owners_count":21057912,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ipset","ipset-rules","iptables"],"created_at":"2024-10-12T20:05:16.676Z","updated_at":"2025-04-10T05:34:09.945Z","avatar_url":"https://github.com/mrlesmithjr.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n- [ansible-ipset](#ansible-ipset)\n - [Related Info](#related-info)\n - [Using Block Lists](#using-block-lists)\n - [Current supported block lists:](#current-supported-block-lists)\n - [Enabling supported block lists:](#enabling-supported-block-lists)\n - [IP Sets Rules Management](#ip-sets-rules-management)\n - [Requirements](#requirements)\n - [Role Variables](#role-variables)\n - [Dependencies](#dependencies)\n - [Example Playbook](#example-playbook)\n - [Examples](#examples)\n - [Example ipset list](#example-ipset-list)\n - [Example iptables list](#example-iptables-list)\n - [License](#license)\n - [Author Information](#author-information)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n# ansible-ipset\n\nAn [Ansible](https://www.ansible.com) role to install/configure [ipset](http://ipset.netfilter.org/)\n\n\u003e NOTE: This role will also manage [IPTables](http://netfilter.org/projects/iptables/index.html)\n\u003e rules as part of configuring ipset. Any existing IPTables rules **WILL** be\n\u003e removed.\n\n## Related Info\n\nWe have also put together a [blog post](http://everythingshouldbevirtual.com/automation/ansible-ip-sets-and-dshield-block-list/)\nwhich is related to this role.\n\n## Using Block Lists\n\nWe have also included the ability to use various different IP block lists to\ngenerate `ipset` rules and `iptables` rules. These can be easily implemented to\nblock traffic inbound, outbound, or both inboud/outbound.\n\n### Current supported block lists:\n\n- [DShield](https://www.dshield.org/)\n- [FireHOL](http://iplists.firehol.org/)\n- [Spamhaus DROP](https://www.spamhaus.org/faq/section/DROP%20FAQ)\n - DROP\n - EDROP\n\n### Enabling supported block lists:\n\nIn order to enable the supported block lists you must set the following variables\nto `true` as their defaults are `false`:\n\n```yaml\n# Defines if DShield top 20 block lists should be defined from https://www.dshield.org/block.txt\nipset_enable_dshield_block_list: false\n\n# Defines if FireHOL ip lists should be defined from http://iplists.firehol.org/\nipset_enable_firehol_block_list: false\n\n# Defines if Spamhaus block lists should be defined from https://www.spamhaus.org/drop/\nipset_enable_spamhaus_block_list: false\n```\n\n## IP Sets Rules Management\n\nWe have added functionality to check if existing rules exist by the same name. If\nthey do exist, a temporary rule set is created which will then be populated. Once\nthe population has completed the existing rule set will be swapped with the\ntemporary rule set, and then the temporary rule set will be destroyed. This will\nensure that there is not a time period in which all rules are flushed and then\nrepopulated therefore leaving a short period of time of being out of scope.\n\n## Requirements\n\nThe following requirements **MUST** be met on the Ansible host that is executing\nthis role:\n\n- [python-netaddr](https://pypi.python.org/pypi/netaddr)\n\n## Role Variables\n\n[defaults/main.yml](defaults/main.yml)\n\n## Dependencies\n\n## Example Playbook\n\n[playbook.yml](./playbook.yml)\n\n## Examples\n\n### Example ipset list\n\nDisplaying the list of ipset rule names:\n\n```bash\nvagrant@node0:~$ sudo ipset list -n\nsafe_input\ndshield_block_list\nfirehol_block_list\nspamhaus_drop_block_list\nspamhaus_edrop_block_list\n```\n\nDisplaying the complete list of ipset rules:\n\n\u003e NOTE: This list is just an example and does not show all of the ipset rules\n\u003e shown above.\n\n```bash\nvagrant@node0:~$ sudo ipset list\nName: safe_input\nType: hash:net\nRevision: 6\nHeader: family inet hashsize 1024 maxelem 1000111222\nSize in memory: 448\nReferences: 1\nMembers:\n10.0.0.0/8\n\nName: dshield_block_list\nType: hash:net\nRevision: 6\nHeader: family inet hashsize 1024 maxelem 1000111222\nSize in memory: 1664\nReferences: 4\nMembers:\n85.93.20.0/24\n5.188.203.0/24\n104.236.178.0/24\n77.72.85.0/24\n77.72.82.0/24\n181.214.87.0/24\n5.188.11.0/24\n46.29.162.0/24\n141.212.122.0/24\n80.82.77.0/24\n180.97.106.0/24\n185.35.62.0/24\n216.158.238.0/24\n5.188.86.0/24\n191.101.167.0/24\n93.174.93.0/24\n109.248.9.0/24\n5.188.10.0/24\n80.82.70.0/24\n196.52.43.0/24\n```\n\n### Example iptables list\n\n```bash\nvagrant@node0:~$ sudo iptables -L -v -n\nChain INPUT (policy DROP 0 packets, 0 bytes)\n pkts bytes target prot opt in out source destination\n 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0\n 824 666K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0 match-set dshield_block_list src\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0 match-set firehol_block_list src\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0 match-set spamhaus_drop_block_list src\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0 match-set spamhaus_edrop_block_list src\n 1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,2202,2222 ctstate NEW match-set safe_input src\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source destination\n\nChain OUTPUT (policy DROP 0 packets, 0 bytes)\n pkts bytes target prot opt in out source destination\n 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0\n 733 61601 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0 match-set dshield_block_list dst\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0 match-set firehol_block_list dst\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0 match-set spamhaus_drop_block_list dst\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0 match-set spamhaus_edrop_block_list dst\n 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW\n 12 808 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,123 ctstate NEW\n 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,80,443 ctstate NEW\n 0 0 LOGGING-DROPPED all -- * * 0.0.0.0/0 0.0.0.0/0\n\nChain LOGGING-DROPPED (10 references)\n pkts bytes target prot opt in out source destination\n 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 4 prefix \"IPTables-Dropped: \"\n 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0\n```\n\n## License\n\nMIT\n\n## Author Information\n\nLarry Smith Jr.\n\n- [EverythingShouldBeVirtual](http://everythingshouldbevirtual.com)\n- [@mrlesmithjr](https://www.twitter.com/mrlesmithjr)\n- \u003cmailto:mrlesmithjr@gmail.com\u003e\n\nJeroen Ketelaar\n\n- [GitHub](https://github.com/jketelaar)\n- [@jketelaar078](https://www.twitter.com/jketelaar078)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrlesmithjr%2Fansible-ipset","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmrlesmithjr%2Fansible-ipset","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrlesmithjr%2Fansible-ipset/lists"}