Giter VIP home page Giter VIP logo

ansible-iptables's Introduction

No Maintenance Intended

iptables

Build Status

Installs and configures iptables.

Requirements

This role requires Ansible 1.9 or higher.

Role Variables

Name Default Description
iptables_filter_input_policy drop IPv4 default filter input policy
iptables_filter_forward_policy drop IPv4 default filter forward policy
iptables_filter_output_policy accept IPv4 default filter output policy
iptables_filter_rules [{protocol: tcp, source_address: 0.0.0.0/0, destination_port: 22, comment: OpenSSH, target: accept }] Array of filter rules represented as hashes
iptables_nat_prerouting_policy accept IPv4 default nat prerouting policy
iptables_nat_input_policy accept IPv4 default nat input policy
iptables_nat_output_policy accept IPv4 default nat output policy
iptables_nat_postrouting_policy accept IPv4 default nat postrouting policy
iptables_nat_rules [] Array of nat rules represented as hashes
iptables6_filter_input_policy drop IPv6 default filter input policy
iptables6_filter_forward_policy drop IPv6 default filter forward policy
iptables6_filter_output_policy accept IPv6 default filter output policy
iptables6_nat_prerouting_policy accept IPv6 default nat prerouting policy
iptables6_nat_input_policy accept IPv6 default nat input policy
iptables6_nat_output_policy accept IPv6 default nat output policy
iptables6_nat_postrouting_policy accept IPv6 default nat postrouting policy

Dependencies

None

Example Playbook

Install and configure iptables to allow ICMP and OpenSSH

- hosts: all
  roles:
    - kbrebanov.iptables

Install and configure iptables to disallow ICMP, allow OpenSSH and HTTP

- hosts: all
  vars:
    iptables_filter_rules:
      - chain: input
        protocol: tcp
        source_address: 0.0.0.0/0
        destination_port: 22
        comment: OpenSSH
        target: accept
      - chain: input
        protocol: tcp
        source_address: 0.0.0.0/0
        destination_port: 80
        comment: HTTP
        target: accept
  roles:
    - kbrebanov.iptables

Install and configure iptables with a port forward rule for HTTP

- hosts: all
  vars:
    iptables_filter_rules:
      - chain: input
        protocol: tcp
        source_address: 0.0.0.0/0
        destination_port: 80
        comment: HTTP
        target: accept
    iptables_nat_rules:
      - chain: prerouting
        protocol: tcp
        destination_port: 80
        target: dnat
        to_destination: 192.168.1.54
        to_port: 8080
  roles:
    - kbrebanov.iptables

License

BSD

Author Information

Kevin Brebanov

ansible-iptables's People

Contributors

kbrebanov avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

retrievercommunications vgallissot codecap

ansible-iptables's Issues

Provisioning error after last commit to master

Hi @kbrebanov,
Your latest commit [https://github.com/kbrebanov/ansible-iptables/commit/6186f9c4a3c1ca05e73b113c8d891e22922734ab] creates a playbook error on our centos6 VM's.
Playbook executes without errors when reverting to previous commit [https://github.com/kbrebanov/ansible-iptables/commit/b1b60c21c5136952a2658c0f5c3ab35bdd09cad7]
I'd welcome your feedback! Thanks and kind regards, Pl.

Playbook error:

RUNNING HANDLER [kbrebanov.iptables : restart iptables] ************************
fatal: [default]: FAILED! => {"changed": true, "failed": true, "msg": "iptables-restore v1.4.7: Can't set policy `INPUT' on `ACCEPT' line 38: Bad built-in chain name\n\n"}

Provisioning snippet:

  - role: kbrebanov.iptables
    iptables_icmp_enabled: true
    iptables_rules:
    - { protocol: tcp, source_addresses: "0.0.0.0/0", port: "20:21", comment: "FTP" }
    - { protocol: tcp, source_addresses: "0.0.0.0/0", port: "22", comment: "OpenSSH" }
    - { protocol: tcp, source_addresses: "0.0.0.0/0", port: "80", comment: "HTTP" }
    - { protocol: tcp, source_addresses: "0.0.0.0/0", port: "443", comment: "HTTPS" }
    - { protocol: tcp, source_addresses: "0.0.0.0/0", port: "8000:9000", comment: "HTTP/Node/Other" }
    - { protocol: tcp, source_addresses: "0.0.0.0/0", port: "3306", comment: "MySQL" }
    become: yes
    become_method: sudo

Auto-generated rules

# Ansible managed: ansible/roles/kbrebanov.iptables/templates/iptables.j2 modified on 2015-11-10 17:35:58

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]

-A TCP -p tcp -s 0.0.0.0/0 --dport 20:21 -m comment --comment "FTP" -j ACCEPT
-A TCP -p tcp -s 0.0.0.0/0 --dport 22 -m comment --comment "OpenSSH" -j ACCEPT
-A TCP -p tcp -s 0.0.0.0/0 --dport 80 -m comment --comment "HTTP" -j ACCEPT
-A TCP -p tcp -s 0.0.0.0/0 --dport 443 -m comment --comment "HTTPS" -j ACCEPT
-A TCP -p tcp -s 0.0.0.0/0 --dport 8000:9000 -m comment --comment "HTTP/Node/Other" -j ACCEPT
-A TCP -p tcp -s 0.0.0.0/0 --dport 3306 -m comment --comment "MySQL" -j ACCEPT

-A INPUT -p icmp --icmp-type redirect -j DROP
-A INPUT -p icmp -j ACCEPT

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


-A POSTROUTING -j MASQUERADE

COMMIT

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.