iptables role to install and configure iptables on Linux
An Ansible role that installs iptables and configures it. It is basically written for RHEL/CentOS but can be ported to other distributions.
This role will remove firewalld and install iptables and ensure it is enabled and started. The configuration is based on a restrictive firewall design which blocks most traffic by default. Be carefull when using it the first time! With the default Jinja2 Template only the Chains INPUT FORWARD and OUTPUT are used in the filter table. If the docker boolean may be used there will be also a DOCKER Chain in the tables filter and nat.
- Ansible 2+
Variables with defaults:
iptables_public_interface: eth0
iptables_template: 'iptables.j2'
iptables_tcp_rules:
- destinationport: 22
sourceaddress: '0.0.0.0/0'
comment: 'SSH from everywhere'
iptables_udp_rules:
- destinationport: 123
sourceaddress: '0.0.0.0/0'
comment: 'NTP from everywhere'
These are empty by default, you can set a allow all interconnect interface based on 10.10.20.0/24 network by defining a interface name with iptables_interconnect_interface and if you have docker on your host you will need some extra rules which can be enabled using the host_use_docker variable:
iptables_interconnect_interface: 'eth1'
iptables_interconnect_range: '10.10.10.0/24'
host_use_docker: 'true'Every exception in tcp can be added by listing each rule like this:
iptables_tcp_rules:
- destinationport: 80
sourceaddress: '1.2.3.0/24'
comment: 'HTTP from 1.2.3.0 network'
- destinationport: 443
sourceaddress: '1.2.3.0/24'
comment: 'HTTPS from 1.2.3.0 network'
- destinationport: 5666
sourceaddress: '1.2.3.4'
comment: 'NRPE communication from nagios server'
Same for udp:
iptables_udp_rules:
- destinationport: 53
sourceaddress: '1.2.3.0/24'
comment: 'DNS from 1.2.3.0 network'
- destinationport: 67
sourceaddress: '1.2.3.4'
comment: 'DHCP client from 1.2.3.4 host'
None.
Add to requirements.yml:
---
- src: sloan87.iptables
...Download:
$ ansible-galaxy install -r requirements.ymlWrite a top-level playbook:
---
- name: worker server
hosts: worker
roles:
- role: sloan87.iptables
tags:
- firewall
- iptables
- network
- security
...Define the role dependency in meta/main.yml:
---
dependencies:
- role: sloan87.iptables
tags:
- firewall
- iptables
- network
- security
...MIT
This role was created in 2017 by Ben Langenberg sloan87 at GitHub, HPC cluster systems administrator at the Helmholtz-Centre for Environmental Research GmbH - UFZ, role skel based on a draft by Christian Krause aka wookietreiber at GitHub.