Installs a simple iptables-based firewall for RHEL/CentOS or Debian/Ubunty systems.
This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of iptables and/or firewalls in general, this role should be a good starting point for a secure system firewall.
After the role is run, a firewall init service will be available on the server. You can use service firewall [start|stop|restart|status] to control the firewall.
None.
Available variables are listed below, along with default values (see defaults/main.yml):
firewall_ipv6_enabled: true enables ipv6 firewall
firewall(6)_allowed_tcp_ports:
- "22"
- "80"
...
firewall(6)_allowed_udp_ports: []
A list of TCP or UDP ports (respectively) to open to incoming traffic.
firewall(6)_forwarded_tcp_ports:
- { src: "22", dest: "2222" }
- { src: "80", dest: "8080" }
firewall(6)_forwarded_udp_ports: []
Forward src port to dest port, either TCP or UDP (respectively).
firewall(6)_additional_rules: []
Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. iptables [rule]).
firewall_log_dropped_packets: true
Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: ").
None.
- hosts: server
vars_files:
- vars/main.yml
roles:
- { role: geerlingguy.firewall }
Inside vars/main.yml:
firewall_allowed_tcp_ports:
- "22"
- "25"
- "80"
- Make outgoing ports more configurable.
- Make other firewall features (like logging) configurable.
MIT / BSD
This role was created in 2014 by Jeff Geerling, author of Ansible for DevOps.