ansible-role-iptables
This role installs the netfilter-persistent package on a Debian system. (Tested on Buster) It uses templates to fill in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
Defaults
The roles is configured with the following default rules:
iptables_rules_v4:
filter:
INPUT:
policy: DROP
rules:
- "-i lo -j ACCEPT"
- "-m state --state RELATED,ESTABLISHED -j ACCEPT"
- "-p icmp -m icmp --icmp-type any -j ACCEPT"
- "-p tcp -m tcp --dport 22 -j ACCEPT"
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT
iptables_rules_v6:
filter:
INPUT:
policy: DROP
rules:
- "-i lo -j ACCEPT"
- "-m state --state RELATED,ESTABLISHED -j ACCEPT"
- "-p ipv6-icmp -j ACCEPT"
- "-p tcp -m tcp --dport 22 -j ACCEPT"
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT
Usage
It makes sense to copy the defaults into a host_vars or group_vars file in your inventory, and then update the rule definitions as required:
inventory/host_vars/myhost/iptables.yml:
iptables_rules_v4:
filter:
INPUT:
policy: DROP
rules:
- "-i lo -j ACCEPT"
- "-m state --state RELATED,ESTABLISHED -j ACCEPT"
- "-p icmp -m icmp --icmp-type any -j ACCEPT"
- "-p tcp -m tcp --dport 22 -j ACCEPT"
- "-p tcp -m tcp --dport 80 -j ACCEPT"
- "-p tcp -m tcp --dport 443 -j ACCEPT"
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT
iptables_rules_v6:
filter:
INPUT:
policy: DROP
rules:
- "-i lo -j ACCEPT"
- "-m state --state RELATED,ESTABLISHED -j ACCEPT"
- "-p ipv6-icmp -j ACCEPT"
- "-p tcp -m tcp --dport 22 -j ACCEPT"
- "-p tcp -m tcp --dport 80 -j ACCEPT"
- "-p tcp -m tcp --dport 443 -j ACCEPT"
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT
Optional reload
By default, the ruleset will be (re)loaded at boottime and on every update to /etc/iptables/rules.v4 or /etc/iptables/rules.v6. On systems that dynamically create iptables rules (fail2ban, docker...) you may want to skip the reload of iptables, as it will break those dynamically created rules.
iptables_reload_on_update: false
Example playbook
- hosts:
- hostname
roles:
- role: iptables
tags:
- iptables