An Ansible Role that configures the host's firewall on Debian / Ubuntu.
The role allows three level of rules definition and overriding. You can change the rules for specific hosts and groups instead of re-defining everything.
firewall_ipv4_rules_default
: Here you can define general configurations.firewall_ipv4_rules_group
: Here you can override or add rules by group.firewall_ipv4_rules_host
: Here you can override or add rules by host.
The same logic works for IPv6 rules with the variables firewall_ipv6_rules_default
, firewall_ipv6_rules_group
and firewall_ipv6_rules_host
.
This role also ensures the creation of custom chains that are used on the defined rules. You can create other chains using the available variables firewall_ipv4_chains_default
, firewall_ipv4_chains_group
, firewall_ipv4_chains_host
, firewall_ipv6_chains_default
, firewall_ipv6_chains_group
and firewall_ipv6_chains_host
.
Currently the role uses iptables
as firewall backend, but it should be easy to use another one.
For more information about how iptables
works, you could read the Arch Linux iptables guide. Also there is a complete guide about rule targets.
None.
Available variables are listed below, along with default values (see defaults/main.yml
):
firewall_ipv4_configure: True
Enable the configuration of the firewall for IPv4 connections.
firewall_ipv6_configure: False
Enable the configuration of the firewall for IPv6 connections.
All the following variables applies to the IPv4 or IPv6 firewall, based on they prefix.
firewall_ipv4_rules_flush: True
firewall_ipv6_rules_flush: True
Flush all existing rules and chains.
firewall_ipv4_default_allow_input: False
firewall_ipv6_default_allow_input: False
Allow connections as default input policy.
firewall_ipv4_default_allow_forward: False
firewall_ipv6_default_allow_forward: False
Allow connections as default forward policy.
firewall_ipv4_default_allow_output: True
firewall_ipv6_default_allow_output: True
Allow connections as default output policy.
firewall_ipv4_input_disallow_invalid: True
firewall_ipv6_input_disallow_invalid: True
Disallow incoming connections with invalid state.
firewall_ipv4_input_allow_localhost: True
firewall_ipv6_input_allow_localhost: True
Allow incoming connections to localhost.
firewall_ipv4_input_allow_icmp_ping: False
firewall_ipv6_input_allow_icmp_ping: False
Allow incoming ping requests.
firewall_ipv4_input_allow_established: True
firewall_ipv6_input_allow_established: True
Allow incoming connections with an established or related state.
firewall_ipv4_input_log_disallowed: True
firewall_ipv6_input_log_disallowed: True
Log all the incoming connections that does not match any rule.
firewall_ipv4_forward_allow_established: False
firewall_ipv6_forward_allow_established: False
Allow forwarding connections with an established or related state.
firewall_ipv4_output_allow_localhost: True
firewall_ipv6_output_allow_localhost: True
Allow incoming connections from localhost.
firewall_ipv4_output_allow_icmp_ping: False
firewall_ipv6_output_allow_icmp_ping: False
Allow outgoing ping responses.
firewall_ipv4_output_disallow_icmp_redirect: True
firewall_ipv6_output_disallow_icmp_redirect: True
Disallow outgoing ICMP redirect responses.
firewall_ipv4_output_allow_established: True
firewall_ipv6_output_allow_established: True
Allow outgoing connections with an established or related state.
firewall_ipv4_nat_prerouting_allow_established: False
firewall_ipv6_nat_prerouting_allow_established: False
Allow prerouting incoming connections with an established or related state.
firewall_ipv4_nat_postrouting_allow_established: False
firewall_ipv6_nat_postrouting_allow_established: False
Allow postrouting outgoing connections with an established or related state.
firewall_ipv4_chains_default:
- name: custom_chain
table: filter
firewall_ipv6_chains_default:
- name: custom_chain
table: filter
Custom chains that should be created. General configuration.
firewall_ipv4_chains_group:
- name: custom_chain
table: filter
firewall_ipv6_chains_group:
- name: custom_chain
table: filter
Custom chains that should be created. Group level configuration.
firewall_ipv4_chains_host:
- name: custom_chain
table: filter
firewall_ipv6_chains_host:
- name: custom_chain
table: filter
Custom chains that should be created. Host level configuration.
firewall_ipv4_rules_default: []
firewall_ipv6_rules_default: []
firewall_ipv4_rules_group: []
firewall_ipv6_rules_group: []
firewall_ipv4_rules_host: []
firewall_ipv6_rules_host: []
The role allows three level of rules definition and overriding. You can change the rules for specific hosts and groups instead of re-defining everything.
Each variable is a list of dictionaries, which should have the structure showed below. Each group
could be overrided of complemented by the other variables, based on the replace
value.
rules
is the list of rules that should be applied to the firewall. All the conditions for the packet are optional and only one target will be used if multiple are defined as True (If none, the packet will be accepted).
firewall_ipv4_rules_group:
- group: Name of the rule group
replace: False
rules:
- table: filter
chain: input
interface_in: eth0
interface_out: eth0
protocol: tcp
icmp_type: echo-request
source: 0.0.0.0/0
sources:
- 127.0.0.1
- 192.168.1.1
source_port: 2048
source_ports:
- 2000
- 2001
destination: 0.0.0.0/0
destinations:
- 127.0.0.1
- 192.168.1.1
destination_port: 22
destination_ports:
- 80
- 443
state_new: True
state_established: False
state_related: False
state_untracked: False
state_snat: False
state_dnat: False
state_invalid: False
limit: 5/m
limit_burst: 10
target_accept: True
target_custom: custom_chain
target_dnat: False
target_dnat_destination: 192.168.10.1
target_drop: False
target_log: False
target_log_ip_options: False
target_log_level: debug
target_log_prefix: INPUT packets
target_log_tcp_options: False
target_log_tcp_sequence: False
target_masquerade: False
target_masquerade_ports: 1000-1500
target_queue: False
target_redirect: False
target_redirect_ports: 1000-1500
target_reject: False
target_reject_with: icmp-host-prohibited
target_return: False
target_snat: False
target_snat_source: 192.168.10.1
target_ulog: False
target_ulog_cprange: 100
target_ulog_nlgroup: 2
target_ulog_prefix: SSH connection attempt
target_ulog_qthreshold: 10
comment: OpenSSH 22/tcp
table
: Table for the rule.filter
,nat
,filter
,mangle
, etc. Default:filter
.chain
: Chain where the rule will be evaluated.input
,output
,postrouting
, custom chain.interface_in
: Match rule against the network interface through which the packet arrives.interface_out
: Match rule against the network interface through which the packet exists the host.protocol
: Match the protocol of the packet.icmp_type
: Match the ICMP type, when using ICMP protocol.source
: Match the IP address of the source of the packet.sources
: Match the IP address of the source of the packet against multiple values.source_port
: Match the source port of the packet.source_ports
: Match the source port of the packet against multiple values.destination
: Match the IP address of the destination of the packet.destinations
: Match the IP address of the destination of the packet against multiple values.destination_port
: Match the destination port of the packet.destination_ports
: Match the destination port of the packet against multiple values.state_new
: Match the state of the packet. It should be NEW.state_established
: Match the state of the packet. It should be ESTABLISHED.state_related
: Match the state of the packet. It should be RELATED.state_untracked
: Match the state of the packet. It should be UNTRACKED.state_snat
: Match the state of the packet. It should be SNAT.state_dnat
: Match the state of the packet. It should be DNAT.state_invalid
: Match the state of the packet. It should be INVALID.limit
: When using the LOG target, limit the matching rate of the rule.limit_burst
: When using the LOG target, maximum initial number of packets to match against the rule.target_accept
: Jump to the ACCEPT target. Let's the packet pass through the chain.target_custom
: Jump to a custom chain.target_dnat
: Jump to the DNAT target. This rewrites the Destination IP address of a packet.target_dnat_destination
: Tells the DNAT mechanism which Destination IP to set in the IP header.target_drop
: Jump to the DROP target. Don't let the packet pass through the chain.target_log
: Jump to the LOG target. Log the packet information to the system syslog.target_log_ip_options
: This option will log most of the IP packet header options.target_log_level
: Tell iptables and syslog which log level to use.target_log_prefix
: Tells iptables to prefix all log messages with a specific prefix.target_log_tcp_options
: This option logs the different options from the TCP packet headers.target_log_tcp_sequence
: This option will log the TCP Sequence numbers, together with the log message.target_masquerade
: The MASQUERADE target is used basically the same as the SNAT target, but it does not require any source option.target_masquerade_ports
: This option is used to set the source port or ports to use on outgoing packets.target_queue
: The QUEUE target is used to queue packets to User-land programs and applications.target_redirect
: The REDIRECT target is used to redirect packets and streams to the machine itself.target_redirect_ports
: This option specifies the destination port, or port range, to use.target_reject
: The REJECT target works basically the same as the DROP target, but it also sends back an error message to the host sending the packet that was blocked.target_reject_with
: This option tells the REJECT target what response to send to the host that sent the packet that we are rejecting.target_return
: The RETURN target will cause the current packet to stop traveling through the chain where it hit the rule. If it is the subchain of another chain, the packet will continue to travel through the superior chains as if nothing had happened. If the chain is the main chain, for example the INPUT chain, the packet will have the default policy taken on it.target_snat
: The SNAT target is used to do Source Network Address Translation, which means that this target will rewrite the Source IP address in the IP header of the packet.target_snat_source
: This option is used to specify which source the packet should use.target_ulog
: The ULOG target is used to provide user-space logging of matching packets. If a packet is matched and the ULOG target is set, the packet information is multicasted together with the whole packet through a netlink socket.target_ulog_cprange
: This option tells the ULOG target how many bytes of the packet to send to the user-space daemon of ULOG.target_ulog_nlgroup
: This option tells the ULOG target which netlink group to send the packet to.target_ulog_prefix
: This option works just the same as the prefix value for the standard LOG target.target_ulog_qthreshold
: This option tells the ULOG target how many packets to queue inside the kernel before actually sending the data to user-space.comment
: Comment for the rule.
None.
- hosts: servers
vars_files:
- vars/main.yml
roles:
- gcoop-libre.firewall
Inside vars/main.yml
:
firewall_ipv4_rules_flush: True
firewall_ipv4_default_allow_input: False
firewall_ipv4_default_allow_forward: False
firewall_ipv4_default_allow_output: True
firewall_ipv4_rules_default:
- group: Allow SSH
rules:
- chain: input
protocol: tcp
destination_port: 22
target_accept: True
firewall_ipv4_rules_group:
- group: Allow SSH
replace: True
rules:
- chain: input
protocol: tcp
source: 192.168.10.1
destination_port: 22
target_accept: True
GPLv2
This role was created in 2017 by gcoop Cooperativa de Software Libre.