Skip to content

hispanico/ansible-iptables

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
defaults
defaults
 
 
handlers
handlers
 
 
meta
meta
 
 
tasks
tasks
 
 
templates
templates
 
 
tests
tests
 
 
vars
vars
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ansible-iptables

Build Status Galaxy

Install and configures iptables for IPv4 and IPv6.

Requirements

This role requires Ansible 2.4 or higher.

Role Variables

Default values:

#### IPv4 ####
iptables_enabled: yes                   # The role is enabled
iptables_logging: yes                   # Log dropped packets

iptables_deny_all : yes                 # Deny all except allowed


## Filter Table ##
iptables_allowed_sources: []            # List of allowed source

iptables_allowed_tcp_ports: [22]        # List of allowed tcp ports

iptables_allowed_udp_ports: []          # List of allowed udp ports

iptables_filter_rules:                  # List of custom filter table rules
  # Accept icmp ping requests.
  - -A INPUT -p icmp -j ACCEPT

  # Allow DHCP traffic
  - -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

  # Allow NTP traffic for time synchronization.
  - -A OUTPUT -p udp --dport 123 -j ACCEPT
  - -A INPUT -p udp --sport 123 -j ACCEPT

## Nat Table ##
iptables_forwarded_tcp_ports: []        # Forward tcp ports
                                        # Ex. iptables_forwarded_tcp_ports:
                                        #       - { from: 22, to: 2222 }

iptables_forwarded_udp_ports: []        # Ex. iptables_forwarded_udp_ports:
                                        #       - { from: 22, to: 2222 }

iptables_dnat_tcp: []                   # DNAT tcp rules
                                        # Ex. iptables_dnat_tcp:
                                        #       - { in_interface: eth0, from: 2222, to: '192.168.0.100:22' }

iptables_dnat_udp: []                   # DNAT udp rules
                                        # Ex. iptables_dnat_udp:
                                        #       - { in_interface: eth0, from: 2222, to: '192.168.0.100:22' }

iptables_snat: []                       # SNAT rules
                                        # Ex. iptables_snat:
                                        #       - { out_interface: eth0, from: '10.0.0.0/24', to: 192.168.0.1 }

iptables_masquerade: []                 # MASQUERADE rules
                                        # Ex. iptables_masquerade:
                                        #       - { out_interface: eth0, from: 10.0.0.0/24 }

iptables_nat_rules: []                  # List of custom nat table rules
                                        # Ex. iptables_nat_rules:
                                        #     - -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.1

## Mangle Table ##
iptables_mangle_rules: []               # List of custom mangle table rules
                                        # Ex. iptables_nat_rules:
                                        #     - -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

## Raw Table ##
iptables_raw_table_enabled: no
iptables_raw_rules: []                  # List of custom raw table rules

#### IPv6 ####
ip6tables_enabled: yes                  # The role is enabled
ip6tables_logging: yes                  # Log dropped packets

## Filter Table ##
ip6tables_allowed_sources: []           # List of allowed source

ip6tables_allowed_tcp_ports: [22]       # List of allowed tcp ports

ip6tables_allowed_udp_ports: []         # List of allowed udp ports

ip6tables_filter_rules:                 # List of custom filter table rules
  # Accept icmp ping requests.
  - -A INPUT -p icmpv6 -j ACCEPT

  # Allow NTP traffic for time synchronization.
  - -A OUTPUT -p udp --dport 123 -j ACCEPT
  - -A INPUT -p udp --sport 123 -j ACCEPT

  # Allow DHCPv6
  - -A OUTPUT -p udp --dport 546 -j ACCEPT
  - -A INPUT -p udp --sport 546 -j ACCEPT
  - -A OUTPUT -p udp --dport 547 -j ACCEPT
  - -A INPUT -p udp --sport 547 -j ACCEPT

## Nat Table ##
ip6tables_forwarded_tcp_ports: []       # Forward tcp ports
                                        # Ex. iptables_forwarded_tcp_ports:
                                        #       - { from: 22, to: 2222 }

ip6tables_forwarded_udp_ports: []       # Ex. iptables_forwarded_udp_ports:
                                        #       - { from: 22, to: 2222 }

ip6tables_dnat_tcp: []                  # DNAT tcp rules
                                        # Ex. iptables_dnat_tcp:
                                        #       - { in_interface: eth0, from: 2222, to: '[2001:555:111:01::1]:22' }

ip6tables_dnat_udp: []                  # DNAT udp rules
                                        # Ex. iptables_dnat_udp:
                                        #       - { in_interface: eth0, from: 2222, to: '[2001:555:111:01::1]:22' }

ip6tables_snat: []                      # SNAT rules
                                        # Ex. iptables_snat:
                                        #       - { out_interface: eth0, from: '2001:555:111:02::1/64', to: '2001:555:111:01::1' }

ip6tables_masquerade: []                # MASQUERADE rules
                                        # Ex. iptables_masquerade:
                                        #       - { out_interface: eth0, from: '2001:555:111:02::1/64' }

ip6tables_nat_rules: []                 # List of custom nat table rules
                                        # Ex. iptables_nat_rules:
                                        #     - -A POSTROUTING -s '2001:555:111:02::1/64' -o eth0 -j SNAT --to-source '2001:555:111:01::1'

## Mangle Table ##
ip6tables_mangle_rules: []              # List of custom mangle table rules

Debian/Ubuntu values:

iptables_confdir: /etc/iptables

iptables_rules_path: "{{ iptables_confdir }}/rules.v4"  # Path iptables to rule file

ip6tables_rules_path: "{{ iptables_confdir }}/rules.v6" # Path ip6tables to rule file

RedHat/CentOS values:

iptables_confdir: /etc/sysconfig

iptables_rules_path: "{{ iptables_confdir }}/iptables"  # Path to rule file

ip6tables_rules_path: "{{ iptables_confdir }}/ip6tables"  # Path to rule file

Dependencies

None.

Example Playbook

  - hosts: all
    roles:
      - ansible-iptables
    vars:
      iptables_allowed_sources:
        - 192.168.0.0/24
      iptables_allowed_tcp_ports:
        - 22
        - 80
        - 443
      iptables_filter_rules:
        - -A INPUT -p icmp -j ACCEPT
        - -A OUTPUT -p udp --dport 123 -j ACCEPT
        - -A INPUT -p udp --sport 123 -j ACCEPT
      ip6tables_allowed_sources:
        - '2001:555:11::/48'
      ip6tables_allowed_tcp_ports:
        - 22
        - 80
        - 443
      ip6tables_filter_rules:
        - -A INPUT -p icmpv6 -j ACCEPT
        - -A OUTPUT -p udp --dport 123 -j ACCEPT
        - -A INPUT -p udp --sport 123 -j ACCEPT

License

Licensed under the GPLv3 License. See the LICENSE file for details.

Author Information

Hispanico

About

This is a mirror of https://gitlab.ninux.org/hispanico/ansible-iptables

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published