Simple iptables wrapper to create persistent rules for IPv4 and IPv6
A list of firewall rules.
Parameter | Required | Default | Options |
---|---|---|---|
chain | yes | - INPUT - OUTPUT - FORWARD |
|
protocols | no | [tcp, udp] | - tcp - udp |
ip_versions | no | [IPv4, IPv6] | - IPv4 - IPv6 |
action | no | ACCEPT |
- ACCEPT - DROP - REJECT |
sources | no | - eg. 127.0.0.1 or 192.168.0.0/24 |
|
destinations | no | - eg. 127.0.0.1 or 192.168.0.0/24 |
Policies define the default behaviour when no firewall_rules
apply to the network traffic. Only outgoing traffic can pass by default
firewall_policies:
input: DROP
output: ACCEPT
forward: DROP
The firewall is configured to respond to ICMP/Ping packets by default. Set this value to not explicitly allow ping (see firewall_policies)
Remote (temporary) directory to upload the compiled firewall rules to. Expects a string with the absolute directory path that is automatically created and owned by the root user.
This role can be pulled as git submodule in an existing Ansible Playbook repository
git submodule add https://github.com/gronke/ansible-firewall.git roles/gronke.firewall
- role: firewall
firewall_rules:
- chain: INPUT
protocols:
- tcp
ports:
- 80
- 443
- role: firewall
firewall_rules:
- chain: INPUT
ip_versions:
- IPv6
protocols:
- tcp
ports:
- 80
- 443
- role: firewall
firewall_policies:
input: ACCEPT
output: ACCEPT
forward: DROP
firewall_rules:
- chain: INPUT
ports:
- 25
action: DROP