Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/geerlingguy/ansible-role-firewall

Ansible Role - iptables Firewall configuration.
https://github.com/geerlingguy/ansible-role-firewall

ansible centos debian fedora firewall iptables linux rhel role rules security ubuntu

Last synced: 4 days ago
JSON representation

Ansible Role - iptables Firewall configuration.

Host: GitHub
URL: https://github.com/geerlingguy/ansible-role-firewall
Owner: geerlingguy
License: mit
Created: 2014-03-04T04:19:37.000Z (almost 11 years ago)
Default Branch: master
Last Pushed: 2024-12-30T02:45:06.000Z (23 days ago)
Last Synced: 2025-01-11T05:02:13.713Z (11 days ago)
Topics: ansible, centos, debian, fedora, firewall, iptables, linux, rhel, role, rules, security, ubuntu
Language: Shell
Homepage: https://galaxy.ansible.com/geerlingguy/firewall/
Size: 84 KB
Stars: 541
Watchers: 33
Forks: 219
Open Issues: 5
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

awesome-list-ansible - ansible-role-firewall - iptables Firewall configuration. (ubuntu)
awesome-ansible-roles - geerlingguy.firewall - Installs a simple iptables-based firewall for RHEL/CentOS or Debian/Ubunty systems. (Security / Caching)

README

# Ansible Role: Firewall (iptables)

[![CI](https://github.com/geerlingguy/ansible-role-firewall/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-firewall/actions?query=workflow%3ACI)

Installs an iptables-based firewall for Linux. Supports both IPv4 (`iptables`) and IPv6 (`ip6tables`).

This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall.

After the role is run, a `firewall` init service will be available on the server. You can use `service firewall [start|stop|restart|status]` to control the firewall.

## Requirements

None.

## Role Variables

Available variables are listed below, along with default values (see `defaults/main.yml`):

```yaml
firewall_state: started
firewall_enabled_at_boot: true
```

Controls the state of the firewall service; whether it should be running (`firewall_state`) and/or enabled on system boot (`firewall_enabled_at_boot`).

```yaml
firewall_flush_rules_and_chains: true
```

Whether to flush all rules and chains whenever the firewall is restarted. Set this to `false` if there are other processes managing iptables (e.g. Docker).

```yaml
firewall_template: firewall.bash.j2
```

The template to use when generating firewall rules.

```yaml
firewall_allowed_tcp_ports:
- "22"
- "80"
...
firewall_allowed_udp_ports: []
```

A list of TCP or UDP ports (respectively) to open to incoming traffic.

```yaml
firewall_forwarded_tcp_ports:
- { src: "22", dest: "2222" }
- { src: "80", dest: "8080" }
firewall_forwarded_udp_ports: []
```

Forward `src` port to `dest` port, either TCP or UDP (respectively).

```yaml
firewall_additional_rules: []
firewall_ip6_additional_rules: []
```

Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`/`ip6tables [rule]`). A few examples of how this could be used:

```yaml
# Allow only the IP 167.89.89.18 to access port 4949 (Munin).
firewall_additional_rules:
- "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT"

# Allow only the IP 214.192.48.21 to access port 3306 (MySQL).
firewall_additional_rules:
- "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT"
```

See [Iptables Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) for more examples.

```yaml
firewall_log_dropped_packets: true
```

Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: ").

```yaml
firewall_disable_firewalld: false
firewall_disable_ufw: false
```

Set to `true` to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively.

```yaml
firewall_enable_ipv6: true
```

Set to `false` to disable configuration of ip6tables (for example, if your `GRUB_CMDLINE_LINUX` contains `ipv6.disable=1`).

## Dependencies

None.

## Example Playbook

```yaml
- hosts: server
vars_files:
- vars/main.yml
roles:
- { role: geerlingguy.firewall }
```

*Inside `vars/main.yml`*:

```yaml
firewall_allowed_tcp_ports:
- "22"
- "25"
- "80"
```

## License

MIT / BSD

## Author Information

This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).