nils/ansible-role-iptables
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
81abc5799ee3f5b19bacad36ecad850c7fdffd19
ansible-role-iptables/README.md
Nils Cant 14a7ae9dcf Updated readme
2019-08-28 11:46:47 +02:00

94 lines
2.3 KiB
Markdown
Raw Blame History

# ansible-role-iptables
This role installs the netfilter-persistent package on a Debian system. (Tested on Buster)
It uses templates to fill in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
## Defaults
The roles is configured with the following default rules:
```
iptables_rules_v4:
filter:
INPUT:
policy: DROP
rules:
- "-i lo -j ACCEPT"
- "-m state --state RELATED,ESTABLISHED -j ACCEPT"
- "-p icmp -m icmp --icmp-type any -j ACCEPT"
- "-p tcp -m tcp --dport 22 -j ACCEPT"
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT
iptables_rules_v6:
filter:
INPUT:
policy: DROP
rules:
- "-i lo -j ACCEPT"
- "-m state --state RELATED,ESTABLISHED -j ACCEPT"
- "-p ipv6-icmp -j ACCEPT"
- "-p tcp -m tcp --dport 22 -j ACCEPT"
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT
```
## Usage
It makes sense to copy the defaults into a host_vars or group_vars file in your inventory, and then update the rule definitions as required:
inventory/host_vars/myhost/iptables.yml:
```
iptables_rules_v4:
filter:
INPUT:
policy: DROP
rules:
- "-i lo -j ACCEPT"
- "-m state --state RELATED,ESTABLISHED -j ACCEPT"
- "-p icmp -m icmp --icmp-type any -j ACCEPT"
- "-p tcp -m tcp --dport 22 -j ACCEPT"
- "-p tcp -m tcp --dport 80 -j ACCEPT"
- "-p tcp -m tcp --dport 443 -j ACCEPT"
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT
iptables_rules_v6:
filter:
INPUT:
policy: DROP
rules:
- "-i lo -j ACCEPT"
- "-m state --state RELATED,ESTABLISHED -j ACCEPT"
- "-p ipv6-icmp -j ACCEPT"
- "-p tcp -m tcp --dport 22 -j ACCEPT"
- "-p tcp -m tcp --dport 80 -j ACCEPT"
- "-p tcp -m tcp --dport 443 -j ACCEPT"
FORWARD:
policy: ACCEPT
OUTPUT:
policy: ACCEPT
```
## Optional reload
By default, the ruleset will be (re)loaded at boottime and on every update to /etc/iptables/rules.v4 or /etc/iptables/rules.v6. On systems that dynamically create iptables rules (fail2ban, docker...) you may want to skip the reload of iptables, as it will break those dynamically created rules.
iptables_reload_on_update: false
## Example playbook
```
- hosts:
- hostname
roles:
- role: iptables
tags:
- iptables
```
Reference in New Issue View Git Blame Copy Permalink