Skip to content
This repository has been archived by the owner on Aug 2, 2019. It is now read-only.

Latest commit

 

History

History
136 lines (100 loc) · 5.58 KB

README.md

File metadata and controls

136 lines (100 loc) · 5.58 KB
Raw

Ansible Role: iptables

Build Status license Ansible Galaxy

Description

Installs and configures iptables.

Installation

ansible-galaxy install sbaerlocher.iptables

Requirements

This role requires Ansible 2 or higher.

Role Variables

Name Default Description
iptables_filter_input_policy drop IPv4 default filter input policy
iptables_filter_forward_policy drop IPv4 default filter forward policy
iptables_filter_output_policy accept IPv4 default filter output policy
iptables_filter_rules [{protocol: tcp, source_address: 0.0.0.0/0, destination_port: 22, comment: OpenSSH, target: accept }] Array of filter rules represented as hashes
iptables_nat_prerouting_policy accept IPv4 default nat prerouting policy
iptables_nat_input_policy accept IPv4 default nat input policy
iptables_nat_output_policy accept IPv4 default nat output policy
iptables_nat_postrouting_policy accept IPv4 default nat postrouting policy
iptables_nat_rules [] Array of nat rules represented as hashes
ip6tables_filter_rules [] Array of filter rules represented as hashes
ip6tables_filter_input_policy drop IPv6 default filter input policy
ip6tables_filter_forward_policy drop IPv6 default filter forward policy
ip6tables_filter_output_policy accept IPv6 default filter output policy
ip6tables_nat_prerouting_policy accept IPv6 default nat prerouting policy
ip6tables_nat_input_policy accept IPv6 default nat input policy
ip6tables_nat_output_policy accept IPv6 default nat output policy
ip6tables_nat_postrouting_policy accept IPv6 default nat postrouting policy

Dependencies

None

Example Playbook

- hosts: all
  roles:
     - sbaerlocher.iptables

Install and configure iptables to disallow ICMP, allow OpenSSH and HTTP

- hosts: all
  vars:
    iptables_filter_rules:
      - chain: input
        protocol: tcp
        source_address: 0.0.0.0/0
        destination_port: 22
        comment: OpenSSH
        target: accept
      - chain: input
        protocol: tcp
        source_address: 0.0.0.0/0
        destination_port: 80
        comment: HTTP
        target: accept
  roles:
    - sbaerlocher.iptables

Install and configure iptables with a port forward rule for HTTP

- hosts: all
  vars:
    iptables_filter_rules:
      - chain: input
        protocol: tcp
        source_address: 0.0.0.0/0
        destination_port: 80
        comment: HTTP
        target: accept
    iptables_nat_rules:
      - chain: prerouting
        protocol: tcp
        destination_port: 80
        target: dnat
        to_destination: 192.168.88.88
        to_port: 8080
  roles:
    - sbaerlocher.iptables

Changelog

2.4

  • add default value for ipv6
  • fix problem with ipv6

2.3

  • add support for ipv6

2.2

  • fix problems with ubuntu

2.1

  • fix problems with centos

2.0

  • new strucktur
  • new tests

1.0

  • Initial release

Author

License

This project is under the MIT License. See the LICENSE file for the full license text.

Copyright

(c) 2018, Simon Bärlocher