{"id":29143915,"url":"https://github.com/nickjj/ansible-iptables","last_synced_at":"2025-10-10T14:40:45.449Z","repository":{"id":146280901,"uuid":"70284920","full_name":"nickjj/ansible-iptables","owner":"nickjj","description":"Configure iptables using Ansible.","archived":false,"fork":false,"pushed_at":"2019-11-15T10:31:44.000Z","size":13,"stargazers_count":12,"open_issues_count":2,"forks_count":7,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-04T04:56:00.434Z","etag":null,"topics":["ansible","firewall","iptables"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nickjj.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-10-07T21:39:50.000Z","updated_at":"2023-05-12T16:45:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"b0eed601-9e21-45f7-a7b5-ad178da41ec2","html_url":"https://github.com/nickjj/ansible-iptables","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/nickjj/ansible-iptables","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-iptables","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-iptables/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-iptables/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-iptables/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nickjj","download_url":"https://codeload.github.com/nickjj/ansible-iptables/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickjj%2Fansible-iptables/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279004182,"owners_count":26083689,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","firewall","iptables"],"created_at":"2025-06-30T20:39:43.317Z","updated_at":"2025-10-10T14:40:45.443Z","avatar_url":"https://github.com/nickjj.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"## What is ansible-iptables? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-iptables.png)](http://travis-ci.org/nickjj/ansible-iptables)\n\nIt is an [Ansible](http://www.ansible.com/home) role to:\n\n- Install iptables\n- Configure iptables\n\n## Why would you want to use this role?\n\nLocking down your server with a firewall is an important security step. This\nrole gives you full control over how you configure iptables.\n\n## Supported platforms\n\n- Ubuntu 16.04 LTS (Xenial)\n- Debian 8 (Jessie)\n- Debian 9 (Stretch)\n\n## Role variables\n\n```\n# Rather than make a big convoluted mess by trying to parse an iptables config\n# file, you can just supply a raw config file.\n#\n# The default set up will lock down your server, and then open up:\n# port 22 (SSH) and allow pings from the outside world.\niptables_config: |\n  *filter\n\n  # --- Disallow everything as the default filter policy.\n  :INPUT DROP [0:0]\n  :FORWARD DROP [0:0]\n  :OUTPUT ACCEPT [0:0] \n\n  # --- Allow unrestricted traffic on a few local network adapters.\n  -A INPUT -i lo -j ACCEPT\n  -A INPUT -i eth1 -j ACCEPT\n  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n\n  # --- Allow the outside world to connect to SSH (22).\n  -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT\n\n  # --- Allow the outside world to send all ICMP requests (ping, etc.).\n  -A INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT\n\n  COMMIT\n\n# A list of 0 or more services to get restart after your iptables rules are\n# changed. For instance, Docker makes a number of iptables changes and must be\n# loaded after iptables.\n#\n# All of this is taken care of by this role and my Docker role, and in the case\n# where the service (Docker in this case) isn't installed, this task will skip.\n#\n# Keep in mind, if this does get ran then your service will restart. In the\n# case of Docker, all of your containers will restart too, but that's what\n# you need to do if you change iptables around. Try not to do it ever / often!\niptables_restart_dependent_services:\n  - name: \"docker\"\n    path: \"/etc/systemd/system/\"\n```\n\n## Example usage\n\nFor the sake of this example let's assume you have a group called **app** and\nyou have a typical `site.yml` file.\n\nTo use this role edit your `site.yml` file to look something like this:\n\n```\n---\n\n- name: \"Configure app server(s)\"\n  hosts: \"app\"\n  become: True\n\n  roles:\n    - { role: \"nickjj.iptables\", tags: \"iptables\" }\n```\n\nLet's say you wanted to allow HTTP / HTTPS traffic, you can do this by opening\nor creating `group_vars/app.yml` which is located relative to your `inventory`\ndirectory and then making it look like this:\n\n```\n---\n\niptables_config: |\n  *filter\n\n  # --- Disallow everything as the default filter policy.\n  :INPUT DROP [0:0]\n  :FORWARD DROP [0:0]\n  :OUTPUT ACCEPT [0:0] \n\n  # --- Allow unrestricted traffic on a few local network adapters.\n  -A INPUT -i lo -j ACCEPT\n  -A INPUT -i eth1 -j ACCEPT\n  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n\n  # --- Allow the outside world to connect to SSH (22), HTTP (80) and HTTPS (443).\n  -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT\n  -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT\n  -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT\n\n  # --- Allow the outside world to be able to ping you.\n  -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT\n  -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT\n  -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT\n\n  COMMIT\n```\nNow you would run `ansible-playbook -i inventory/hosts site.yml -t iptables`.\n\n## Installation\n\n`$ ansible-galaxy install nickjj.iptables`\n\n## Ansible Galaxy\n\nYou can find it on the official\n[Ansible Galaxy](https://galaxy.ansible.com/nickjj/iptables/) if you want to\nrate it.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickjj%2Fansible-iptables","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnickjj%2Fansible-iptables","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickjj%2Fansible-iptables/lists"}