Configure a set of firewall rules on a linux system.

Go to file

Andrea Dell'Amico edb2e22199 Fix a conditional.		2024-02-28 15:39:59 +01:00
defaults	Separate ipv4 and ipv6 default policies.	2022-08-03 12:32:41 +02:00
files	Merge the iptables and firewalld roles.	2020-07-10 19:17:56 +02:00
handlers	Fix a conditional.	2024-02-28 15:39:59 +01:00
meta	Stop the iptables service when disabled.	2023-10-02 19:49:40 +02:00
tasks	Do not flush the fw rules when docker is present.	2023-10-26 14:20:04 +02:00
templates	Always define a multicast network for jgroups	2022-12-31 16:54:04 +01:00
tests	Initial commit	2020-07-10 18:04:20 +02:00
vars	Initial commit	2020-07-10 18:04:20 +02:00
.gitignore	Add a .gitignore file.	2023-10-02 19:48:22 +02:00
LICENSE	Initial commit	2020-07-10 18:04:20 +02:00
README.md	Merge the iptables and firewalld roles.	2020-07-10 19:17:56 +02:00

README.md

Role Name

A role that configures firewall rules on a Linux system

Role Variables

The most important variables are listed below:

# Base iptables rules, they use netfilter-persistent
iptables:
  tcp_rules: True
  tcp:
    - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
  udp_rules: True
  udp:
    - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
iptables_default_policy: ACCEPT
iptables_nat_enabled: False
iptables_nat_specify_interfaces: True
iptables_post_nat_enabled: False
iptables_nat_interfaces:
  - '{{ ansible_default_ipv4.interface }}'
iptables_input_default_policy: '{{ iptables_default_policy }}'
iptables_forward_default_policy: '{{ iptables_default_policy }}'
iptables_banned_default_policy: DROP
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
nagios_enabled: False
tomcat_cluster_enabled: False
# Another variable needs to be defined before the db rules are set
psql_firewall_enabled: True
mysql_firewall_enabled: True
#
# Firewalld (CentOS only)
#
firewalld_enabled: True
firewalld_default_zone: public
firewalld_ssh_enabled_on_default_zone: True

firewalld_rules:
#  - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
#  - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
#  - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }

#firewalld_new_services:
#  - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }

# We execute direct rules as they are written
# firewalld_direct_rules:
#   - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }

# firewalld_zones_interfaces:
#  - { interface: 'eth1', zone: 'internal' }

Dependencies

None

License

EUPL-1.2

Author Information

Andrea Dell’Amico, andrea.dellamico@isti.cnr.it

README.md Unescape Escape

Role Name

Role Variables

Dependencies

License

Author Information

README.md