An Ansible role that configures a host firewall on RHEL-derived distributions, transparently using whichever backend is appropriate for the OS:
| Backend | Distributions |
|---|---|
iptables |
EL7 (RHEL/CentOS 7), Amazon Linux 2 |
firewalld |
EL8+ (RHEL/CentOS/Rocky/Alma/Oracle 8, 9, 10), Amazon Linux 2023 |
By default the role auto-detects the right backend from the OS major version,
so the same playbook works across a mixed fleet of old and new hosts. You can
override the choice explicitly (see iptables_use_firewalld).
Optionally, the role can install and configure sshguard for SSH brute-force protection on either backend.
Scope: This role only targets RHEL-derived distributions. It is not tested on Debian/Ubuntu and makes no attempt to support them.
-
Ansible 2.12 or newer.
-
The
ansible.posixcollection (providesansible.posix.firewalld, used by the firewalld backend):ansible-galaxy collection install -r requirements.yml
-
Privilege escalation (
become: true) on the target host.
All variables are namespaced with the iptables_ prefix. Defaults are defined in
defaults/main.yml.
| Variable | Default | Description |
|---|---|---|
iptables_use_firewalld |
(auto) | true forces the firewalld backend, false forces iptables. Leave unset to auto-detect: firewalld on EL8+/Amazon Linux 2023, iptables on EL7/Amazon Linux 2. |
| Variable | Default | Description |
|---|---|---|
iptables_service_ports |
{} |
Mapping of name → rule for ports/protocols to open. |
iptables_allowed_sources |
{} |
Mapping of service name → comma-separated source CIDRs to restrict a port to. iptables backend only (see note below). |
iptables_nat_ports |
{} |
Mapping of name → rule for port redirection (NAT/REDIRECT). |
iptables_service_ports rule fields:
proto:tcp,udp, oricmp.range: port or port range (e.g.'22'or'22:22'or'8000:8100'). Omit foricmp.
iptables_nat_ports rule fields:
proto:tcporudp.port: the incoming port to redirect.to_port: the local port to redirect to.
Note on
iptables_allowed_sources: source restriction is currently implemented only for the iptables backend. Under firewalld, ports are opened in the active zone without per-source rich rules. If you need source-restricted ports under firewalld, open an issue or use zone-based source assignment in your own playbook.
Lockout protection: if
iptables_service_portsis empty, the iptables backend still emits a defaultACCEPTrule for TCP/22 so you can't lock yourself out over SSH.
| Variable | Default | Description |
|---|---|---|
iptables_sshguard_enabled |
false |
Install and configure sshguard. |
iptables_sshguard_threshold |
50 |
Attack score threshold before blocking. |
iptables_sshguard_block_time |
1800 |
Seconds to block an offender (grows on repeat). |
iptables_sshguard_detection_time |
7200 |
Seconds over which attacks are remembered. |
iptables_sshguard_whitelist |
[] |
List of addresses/CIDRs that are never blocked. |
The sshguard firewall backend (sshg-fw-iptables vs sshg-fw-firewalld) is
selected automatically to match iptables_use_firewalld.
None (role dependencies). The firewalld backend requires the ansible.posix
collection — see Requirements.
- hosts: webservers
become: true
roles:
- role: rhythmic.iptables
vars:
iptables_service_ports:
ssh: { proto: tcp, range: '22:22' }
http: { proto: tcp, range: '80:80' }
https: { proto: tcp, range: '443:443' }
icmp: { proto: icmp }- hosts: legacy
become: true
roles:
- role: rhythmic.iptables
vars:
iptables_use_firewalld: false
iptables_service_ports:
ssh: { proto: tcp, range: '22:22' }
iptables_allowed_sources:
ssh: 172.28.128.0/24,10.0.2.0/24- hosts: app
become: true
roles:
- role: rhythmic.iptables
vars:
iptables_service_ports:
ssh: { proto: tcp, range: '22:22' }
jetty: { proto: tcp, range: '8080:8080' }
iptables_nat_ports:
jetty: { proto: tcp, port: 80, to_port: 8080 }
iptables_sshguard_enabled: true
iptables_sshguard_whitelist:
- 172.28.128.0/24All tasks are tagged iptables; sshguard tasks are additionally tagged
sshguard. Run only the sshguard configuration with:
ansible-playbook site.yml --tags sshguardProprietary — see LICENSE. © Rhythmic Technologies, Inc.
Rhythmic Technologies, Inc.