A simple firewall for Linux hosts, based on the common iptables/netfilter commands. This role is inspired by UFW and geerlingguy/firewall.
5.0.0
--- Updated for ansible-core 2.16. Removed support for Ubuntu Xenial and Ubuntu Bionic.4.1.1
--- update meta/main.yml4.1.0
--- added support for ubuntu 24.044.0.1
--- bug fix, ansible-lint4.0.0
--- update to ansible 2.12.93.8.0
--- add RHEL9 and CentOS Stream 8 support3.7.0
--- add Jammy, remove CentOS 83.6.0
--- add RHEL8, remove CentOS 6 and trusty3.5.0
--- remove ubuntu precise from testing3.4.0
--- added ubuntu focal, 20.043.3.2
--- tested with Ansible 2.9.113.3.1
--- bump, prepare for github3.3.0
--- log invalid packages as IPT BLOCK INVALID, renamed IPTABLES in log to IPT3.2.0
--- added option to limit ping withfirewall_echo_request_from_ipv4
andfirewall_echo_request_from_ipv6
3.1.2
--- install dependencies for check mode in check mode for centos3.1.1
--- updated for CentOS 83.1.0
--- firewall for openstack neutron nodes, setfirewall_is_neutron
totrue
3.0.2
--- satisfy lint, use pipefail when reading in new firewalls3.0.1
--- check if docker is running ifcheck_mode == true
3.0.0
--- handle docker if docker is running, userDOCKER-USER
chain instead of forward2.0.0
--- flush firewall after adding rules only whenfirewall_flush_on_change
, else append rules1.0.1
--- fix,ansible-playbook --check
works again1.0.0
--- initial releasemaster
--- latest development version
This role is limited to
- Ubuntu 24.04 - Noble
- Ubuntu 22.04 - Jammy
- Ubuntu 20.04 - Focal
- CentOS 7
- CentOS Stream 8
- RHEL 8
- RHEL 9
firewall_disable_firewalld
--- disable firewalld on RedHat systems, defaulttrue
firewall_disable_ufw
--- disable ufw on Debian based systems, defaulttrue
firewall_is_neutron
--- is this an openstack neutron node, defaultfalse
firewall_flush_on_change
--- flush firewall when rules have changed else only apply new rules, defaultfalse
firewall_enable_on_boot
--- enable firewall on boot, defaulttrue
firewall_log_enabled
--- enable firewall logging, defaulttrue
firewall_log_level
--- how much to log of dropped packages, default-m limit --limit 3/min --limit-burst 10
firewall_enable_ipv4_forward
--- enable ipv4 forwarding, defaultfalse
firewall_enable_ipv6_forward
--- enable ipv6 forwarding, defaultfalse
firewall_policy_input
,firewall_policy_forward
,firewall_policy_output
--- set policies for firewall, defaultACCEPT
ACCEPT
--- accept all packagesDROP
--- drop packages silently
firewall_default_raw_ipv4
--- lines with raw iptables rules, default'-A fw4-input -p tcp -m tcp --dport 22 -j ACCEPT'
Use the following chain names, see examples for more contextfw4-input
--- input chain ipv4, used whenfirewall_policy_input
is set toDROP
fw4-forward
--- forward chain ipv4, used whenfirewall_policy_forward
is set toDROP
fw4-output
--- output chain ipv4, used whenfirewall_policy_output
is set toDROP
firewall_default_raw_ipv6
--- lines with raw iptables rules, default'-A fw6-input -p tcp -m tcp --dport 22 -j ACCEPT'
Use the following chain names, see examples for more contextfw6-input
--- input chain ipv4, used whenfirewall_policy_input
is set toDROP
fw6-forward
--- forward chain ipv4, used whenfirewall_policy_forward
is set toDROP
fw6-output
--- output chain ipv4, used whenfirewall_policy_output
is set toDROP
firewall_raw_ipv4
--- additional lines with raw iptables rules - use same chain names asfirewall_default_raw_ipv4
, default''
firewall_raw_ipv6
--- additional lines with raw iptables rules - use same chain names asfirewall_default_raw_ipv6
, default''
firewall_echo_request_from_ipv4
--- comma separated string with addresses/nets to allow ICMP echo request from, default not definedfirewall_echo_request_from_ipv6
--- comma separated string with addresses/nets to allow ICMP6 echo request from, default not defined
The RHEL8 image needs to be registered with RedHat to install packages.
- hosts: servers
roles:
- role: firewall
firewall_policy_input: DROP
firewall_policy_forward: DROP
firewall_policy_output: ACCEPT
firewall_enable_ipv4_forward: true
firewall_enable_ipv6_forward: false
firewall_log_enabled: true
# disable external ping
firewall_echo_request_from_ipv4: 127.0.0.1
firewall_echo_request_from_ipv6: ::1/128
firewall_log_level: -m limit --limit 3/hour --limit-burst 5
firewall_default_raw_ipv4: |
-A fw4-input -p tcp -m tcp --dport 22 -j ACCEPT
firewall_raw_ipv4: |
-A fw4-input -s 10.0.0.0/24 -j ACCEPT
firewall_default_raw_ipv6: |
-A fw6-input -p tcp -m tcp --dport 22 -j ACCEPT
firewall_raw_ipv6: |
-A fw6-input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT
To test RHEL8 with vagrant, install vagrant-register
:
vagrant plugin install vagrant-registration
cd tests
vagrant up
Run role on all OSes again.
vagrant provision
This uses cluster ssh to work with all vagrant boxes at the same time.
vagrant ssh-config > ~/.ssh/config
cat ~/.ssh/config | grep ^Host | cut -d\ -f2 | xargs cssh
GPLv2
Created 2019 by IT Infrastructure at MET Norway
Contactpoint: IT Infrastructure Basis Team