Skip to content

rhythmictech/ansible-role-iptables

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ansible-role-iptables

An Ansible role that configures a host firewall on RHEL-derived distributions, transparently using whichever backend is appropriate for the OS:

Backend Distributions
iptables EL7 (RHEL/CentOS 7), Amazon Linux 2
firewalld EL8+ (RHEL/CentOS/Rocky/Alma/Oracle 8, 9, 10), Amazon Linux 2023

By default the role auto-detects the right backend from the OS major version, so the same playbook works across a mixed fleet of old and new hosts. You can override the choice explicitly (see iptables_use_firewalld).

Optionally, the role can install and configure sshguard for SSH brute-force protection on either backend.

Scope: This role only targets RHEL-derived distributions. It is not tested on Debian/Ubuntu and makes no attempt to support them.

Requirements

  • Ansible 2.12 or newer.

  • The ansible.posix collection (provides ansible.posix.firewalld, used by the firewalld backend):

    ansible-galaxy collection install -r requirements.yml
  • Privilege escalation (become: true) on the target host.

Role Variables

All variables are namespaced with the iptables_ prefix. Defaults are defined in defaults/main.yml.

Backend selection

Variable Default Description
iptables_use_firewalld (auto) true forces the firewalld backend, false forces iptables. Leave unset to auto-detect: firewalld on EL8+/Amazon Linux 2023, iptables on EL7/Amazon Linux 2.

Opening ports

Variable Default Description
iptables_service_ports {} Mapping of name → rule for ports/protocols to open.
iptables_allowed_sources {} Mapping of service name → comma-separated source CIDRs to restrict a port to. iptables backend only (see note below).
iptables_nat_ports {} Mapping of name → rule for port redirection (NAT/REDIRECT).

iptables_service_ports rule fields:

  • proto: tcp, udp, or icmp.
  • range: port or port range (e.g. '22' or '22:22' or '8000:8100'). Omit for icmp.

iptables_nat_ports rule fields:

  • proto: tcp or udp.
  • port: the incoming port to redirect.
  • to_port: the local port to redirect to.

Note on iptables_allowed_sources: source restriction is currently implemented only for the iptables backend. Under firewalld, ports are opened in the active zone without per-source rich rules. If you need source-restricted ports under firewalld, open an issue or use zone-based source assignment in your own playbook.

Lockout protection: if iptables_service_ports is empty, the iptables backend still emits a default ACCEPT rule for TCP/22 so you can't lock yourself out over SSH.

sshguard

Variable Default Description
iptables_sshguard_enabled false Install and configure sshguard.
iptables_sshguard_threshold 50 Attack score threshold before blocking.
iptables_sshguard_block_time 1800 Seconds to block an offender (grows on repeat).
iptables_sshguard_detection_time 7200 Seconds over which attacks are remembered.
iptables_sshguard_whitelist [] List of addresses/CIDRs that are never blocked.

The sshguard firewall backend (sshg-fw-iptables vs sshg-fw-firewalld) is selected automatically to match iptables_use_firewalld.

Dependencies

None (role dependencies). The firewalld backend requires the ansible.posix collection — see Requirements.

Example Playbooks

Auto-detect backend, open SSH + HTTP/HTTPS

- hosts: webservers
  become: true
  roles:
    - role: rhythmic.iptables
      vars:
        iptables_service_ports:
          ssh:   { proto: tcp, range: '22:22' }
          http:  { proto: tcp, range: '80:80' }
          https: { proto: tcp, range: '443:443' }
          icmp:  { proto: icmp }

Restrict SSH to management subnets (iptables hosts)

- hosts: legacy
  become: true
  roles:
    - role: rhythmic.iptables
      vars:
        iptables_use_firewalld: false
        iptables_service_ports:
          ssh: { proto: tcp, range: '22:22' }
        iptables_allowed_sources:
          ssh: 172.28.128.0/24,10.0.2.0/24

Port redirection (NAT) + sshguard

- hosts: app
  become: true
  roles:
    - role: rhythmic.iptables
      vars:
        iptables_service_ports:
          ssh:   { proto: tcp, range: '22:22' }
          jetty: { proto: tcp, range: '8080:8080' }
        iptables_nat_ports:
          jetty: { proto: tcp, port: 80, to_port: 8080 }
        iptables_sshguard_enabled: true
        iptables_sshguard_whitelist:
          - 172.28.128.0/24

Tags

All tasks are tagged iptables; sshguard tasks are additionally tagged sshguard. Run only the sshguard configuration with:

ansible-playbook site.yml --tags sshguard

License

Proprietary — see LICENSE. © Rhythmic Technologies, Inc.

Author Information

Rhythmic Technologies, Inc.

About

No description, website, or topics provided.

Resources

License

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages