ISTI-ansible-roles
/
ansible-role-linux-firewall
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Configure a set of firewall rules on a linux system.
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
35 Commits
1 Branch
0 Tags
155 KiB
Jinja 100%
 
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Go to file
Andrea Dell'Amico edb2e22199
Fix a conditional. 		2 months ago
defaults Separate ipv4 and ipv6 default policies. 2 years ago
files Merge the iptables and firewalld roles. 4 years ago
handlers Fix a conditional. 2 months ago
meta Stop the iptables service when disabled. 7 months ago
tasks Do not flush the fw rules when docker is present. 6 months ago
templates Always define a multicast network for jgroups 1 year ago
tests Initial commit 4 years ago
vars Initial commit 4 years ago
.gitignore Add a .gitignore file. 7 months ago
LICENSE Initial commit 4 years ago
README.md Merge the iptables and firewalld roles. 4 years ago

README.md
Unescape Escape

Role Name

A role that configures firewall rules on a Linux system

Role Variables

The most important variables are listed below:

# Base iptables rules, they use netfilter-persistent
iptables:
  tcp_rules: True
  tcp:
    - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
  udp_rules: True
  udp:
    - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
iptables_default_policy: ACCEPT
iptables_nat_enabled: False
iptables_nat_specify_interfaces: True
iptables_post_nat_enabled: False
iptables_nat_interfaces:
  - '{{ ansible_default_ipv4.interface }}'
iptables_input_default_policy: '{{ iptables_default_policy }}'
iptables_forward_default_policy: '{{ iptables_default_policy }}'
iptables_banned_default_policy: DROP
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
nagios_enabled: False
tomcat_cluster_enabled: False
# Another variable needs to be defined before the db rules are set
psql_firewall_enabled: True
mysql_firewall_enabled: True
#
# Firewalld (CentOS only)
#
firewalld_enabled: True
firewalld_default_zone: public
firewalld_ssh_enabled_on_default_zone: True

firewalld_rules:
#  - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
#  - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
#  - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }

#firewalld_new_services:
#  - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }

# We execute direct rules as they are written
# firewalld_direct_rules:
#   - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }

# firewalld_zones_interfaces:
#  - { interface: 'eth1', zone: 'internal' }

Dependencies

None

License

EUPL-1.2

Author Information

Andrea DellAmico, andrea.dellamico@isti.cnr.it