Updated readme

2019-08-28 11:46:47 +02:00
parent 814a85a421
commit 14a7ae9dcf
1 changed files with 93 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,93 @@
+# ansible-role-iptables
+
+This role installs the netfilter-persistent package on a Debian system. (Tested on Buster)
+It uses templates to fill in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
+
+## Defaults
+
+The roles is configured with the following default rules:
+
+```
+iptables_rules_v4:
+  filter:
+    INPUT:
+      policy: DROP
+      rules:
+        - "-i lo -j ACCEPT"
+        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        - "-p icmp -m icmp --icmp-type any -j ACCEPT"
+        - "-p tcp -m tcp --dport 22 -j ACCEPT"
+    FORWARD:
+      policy: ACCEPT
+    OUTPUT:
+      policy: ACCEPT
+iptables_rules_v6:
+  filter:
+    INPUT:
+      policy: DROP
+      rules:
+        - "-i lo -j ACCEPT"
+        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        - "-p ipv6-icmp -j ACCEPT"
+        - "-p tcp -m tcp --dport 22 -j ACCEPT"
+    FORWARD:
+      policy: ACCEPT
+    OUTPUT:
+      policy: ACCEPT
+```
+
+## Usage
+
+It makes sense to copy the defaults into a host_vars or group_vars file in your inventory, and then update the rule definitions as required:
+
+inventory/host_vars/myhost/iptables.yml:
+
+```
+iptables_rules_v4:
+  filter:
+    INPUT:
+      policy: DROP
+      rules:
+        - "-i lo -j ACCEPT"
+        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        - "-p icmp -m icmp --icmp-type any -j ACCEPT"
+        - "-p tcp -m tcp --dport 22 -j ACCEPT"
+        - "-p tcp -m tcp --dport 80 -j ACCEPT"
+        - "-p tcp -m tcp --dport 443 -j ACCEPT"
+    FORWARD:
+      policy: ACCEPT
+    OUTPUT:
+      policy: ACCEPT
+iptables_rules_v6:
+  filter:
+    INPUT:
+      policy: DROP
+      rules:
+        - "-i lo -j ACCEPT"
+        - "-m state --state RELATED,ESTABLISHED -j ACCEPT"
+        - "-p ipv6-icmp -j ACCEPT"
+        - "-p tcp -m tcp --dport 22 -j ACCEPT"
+        - "-p tcp -m tcp --dport 80 -j ACCEPT"
+        - "-p tcp -m tcp --dport 443 -j ACCEPT"
+    FORWARD:
+      policy: ACCEPT
+    OUTPUT:
+      policy: ACCEPT
+```
+
+## Optional reload
+
+By default, the ruleset will be (re)loaded at boottime and on every update to /etc/iptables/rules.v4 or /etc/iptables/rules.v6. On systems that dynamically create iptables rules (fail2ban, docker...) you may want to skip the reload of iptables, as it will break those dynamically created rules.
+
+iptables_reload_on_update: false
+
+## Example playbook
+
+```
+- hosts:
+  - hostname
+  roles:
+  - role: iptables
+    tags:
+    - iptables
+```