├── .bumpversion.cfg ├── .travis.yml ├── CONTRIBUTORS ├── LICENSE ├── Makefile ├── README.md ├── defaults └── main.yml ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── iptables.yml └── main.yml ├── templates └── etc │ ├── iptables.rules.j2 │ └── network │ └── if-up.d │ └── iptables_load.j2 ├── test.yml └── vars ├── Debian.yml └── RedHat.yml /.bumpversion.cfg: -------------------------------------------------------------------------------- 1 | [bumpversion] 2 | commit = True 3 | current_version = 1.1.4 4 | tag = True 5 | tag_name = {new_version} 6 | 7 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: "2.7" 4 | before_install: 5 | - sudo apt-get update -qq 6 | - sudo apt-get install -qq python-apt python-pycurl 7 | install: 8 | - pip install ansible>=1.6.0 9 | script: 10 | # Prepare tests 11 | - echo localhost > inventory 12 | 13 | # Check syntax 14 | - ansible-playbook --syntax-check -i inventory test.yml 15 | 16 | # First run 17 | - ansible-playbook -i inventory test.yml --connection=local --sudo 18 | 19 | # Second run Idempotence test 20 | - > 21 | ansible-playbook -i inventory test.yml --connection=local --sudo 22 | | grep -q 'changed=0.*failed=0' 23 | && (echo 'Idempotence test: pass' && exit 0) 24 | || (echo 'Idempotence test: fail' && exit 1) 25 | 26 | # Check for role is done 27 | - sudo iptables -L -n | grep tcp 28 | 29 | -------------------------------------------------------------------------------- /CONTRIBUTORS: -------------------------------------------------------------------------------- 1 | Contributors: 2 | 3 | * Kirill Klenov (http://klen.github.io/) 4 | * Adham Helal (https://github.com/ahelal) 5 | * David L Ballenger (https://github.com/davidlballenger) 6 | * Joonas Kylmälä (https://github.com/kirjastojk) 7 | * Vilmos Nebehaj (https://github.com/ldx) 8 | * ldx (https://github.com/ldx) 9 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Stouts 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: release major minor patch 2 | 3 | VERSION?=minor 4 | release: 5 | @bumpversion $(VERSION) 6 | @git checkout master 7 | @git merge develop 8 | @git checkout develop 9 | @git push --all 10 | @git push --tags 11 | @git checkout develop 12 | 13 | major: 14 | make release VERSION=major 15 | 16 | minor: 17 | make release VERSION=minor 18 | 19 | patch: 20 | make release VERSION=patch 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Stouts.iptables 2 | =============== 3 | 4 | [![Build Status](http://img.shields.io/travis/Stouts/Stouts.iptables.svg?style=flat-square)](https://travis-ci.org/Stouts/Stouts.iptables) 5 | [![Galaxy](http://img.shields.io/badge/galaxy-Stouts.iptables-blue.svg?style=flat-square)](https://galaxy.ansible.com/Stouts/iptables) 6 | 7 | Ansible role which manage iptables 8 | 9 | #### Variables 10 | 11 | THe role variables and default values. 12 | 13 | ```yaml 14 | iptables_enabled: yes # The role is enabled 15 | iptables_logging: yes # Log dropped packets 16 | 17 | iptables_deny_all : yes # deny all except allowed 18 | 19 | iptables_rules_path: /etc/iptables.rules # Path to rule file 20 | iptables_load_path: /etc/network/if-up.d/iptables_load # Set empty for prevent loading 21 | 22 | iptables_allowed_tcp_ports: [22, 25, 80, 443] # List of allowed tcp ports 23 | iptables_forwarded_tcp_ports: [] # Forward tcp ports 24 | # Ex. iptables_forwarded_tcp_ports: 25 | # - { from: 22, to: 2222 } 26 | 27 | iptables_allowed_udp_ports: [] # List of allowed udp ports 28 | iptables_forwarded_udp_ports: [] # Ex. iptables_forwarded_udp_ports: 29 | # - { from: 22, to: 2222 } 30 | 31 | iptables_raw_rules: [] # List of raw rules 32 | # Ex. iptables_raw_rules: 33 | # - -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 34 | # - -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 35 | ``` 36 | 37 | #### Usage 38 | 39 | Add `Stouts.iptables` to your roles and setup the variables in your playbook file. 40 | Example: 41 | 42 | ```yaml 43 | 44 | - hosts: all 45 | 46 | roles: 47 | - Stouts.iptables 48 | 49 | vars: 50 | iptables_allowed_tcp_ports: [22] 51 | iptables_forwarded_tcp_ports: 52 | - {from: 22, to: 2222} 53 | ``` 54 | 55 | #### License 56 | 57 | Licensed under the MIT License. See the LICENSE file for details. 58 | 59 | #### Feedback, bug-reports, requests, ... 60 | 61 | Are [welcome](https://github.com/Stouts/Stouts.iptables/issues)! 62 | 63 | If you wish to express your appreciation for the role, you are welcome to send 64 | a postcard to: 65 | 66 | Kirill Klenov 67 | pos. Severny 8-3 68 | MO, Istra, 143500 69 | Russia 70 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | iptables_enabled: yes # The role is enabled 4 | iptables_logging: yes # Log dropped packets 5 | 6 | iptables_flush_all: yes # Flush and remove all chains 7 | iptables_deny_all : yes # Deny all except allowed 8 | 9 | iptables_confdir: /etc/iptables 10 | iptables_rules_path: "{{ iptables_confdir }}/rules.v4" # Path to rule file 11 | 12 | iptables_load_path: /etc/network/if-up.d/iptables_load # Set empty to prevent loading 13 | 14 | iptables_allowed_tcp_ports: [22, 25, 80, 443] # List of allowed tcp ports 15 | iptables_forwarded_tcp_ports: [] # Forward tcp ports 16 | # Ex. iptables_forwarded_tcp_ports: 17 | # - { from: 22, to: 2222 } 18 | 19 | iptables_allowed_udp_ports: [] # List of allowed udp ports 20 | iptables_forwarded_udp_ports: [] # Ex. iptables_forwarded_udp_ports: 21 | # - { from: 22, to: 2222 } 22 | 23 | iptables_raw_rules: [] # List of raw rules 24 | # Ex. iptables_raw_rules: 25 | # - -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 26 | # - -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 27 | 28 | iptables_command: iptables -w 29 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: iptables load 4 | command: "{{iptables_rules_path}}" 5 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | dependencies: [] 4 | 5 | galaxy_info: 6 | author: klen 7 | company: Stouts 8 | description: Manage iptables rules 9 | license: MIT 10 | categories: 11 | - system 12 | - networking 13 | 14 | -------------------------------------------------------------------------------- /tasks/iptables.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Include OS-specific variables. 4 | include_vars: "{{ ansible_os_family }}.yml" 5 | 6 | - name: Ensure iptables is installed (debian) 7 | apt: name=iptables 8 | when: ansible_os_family == 'Debian' 9 | 10 | - name: Ensure iptables is installed (redhat) 11 | yum: name=iptables 12 | when: ansible_os_family == 'RedHat' 13 | 14 | - name: Ensure ufw is not installed (debian) 15 | apt: name=ufw state=absent purge=yes 16 | when: ansible_os_family == 'Debian' 17 | 18 | - name: Ensure that config directory is exists 19 | file: state=directory path="{{ iptables_confdir }}" 20 | 21 | - name: Prepare iptables rules 22 | template: dest={{iptables_rules_path}} src=etc/iptables.rules.j2 owner=root group=root mode=0744 23 | notify: iptables load 24 | 25 | - name: Autoload the rules 26 | template: src=etc/network/if-up.d/iptables_load.j2 dest={{iptables_load_path}} owner=root group=root mode=751 27 | when: iptables_load_path != "" 28 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - import_tasks: iptables.yml 4 | when: iptables_enabled 5 | tags: [iptables] 6 | -------------------------------------------------------------------------------- /templates/etc/iptables.rules.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This file was generated by Ansible for {{ansible_fqdn}} 4 | # Do NOT modify this file by hand! 5 | 6 | IPTABLES="{{ iptables_command }}" 7 | 8 | {% if iptables_flush_all %} 9 | # Clean all 10 | $IPTABLES -F 11 | $IPTABLES -X 12 | $IPTABLES -t nat -F 13 | $IPTABLES -t nat -X 14 | $IPTABLES -t mangle -F 15 | $IPTABLES -t mangle -X 16 | {% endif %} 17 | 18 | # Accept all from localhost 19 | $IPTABLES -A INPUT -i lo -j ACCEPT 20 | 21 | # Forwarded ports. 22 | {% for forward in iptables_forwarded_tcp_ports %} 23 | $IPTABLES -t nat -I PREROUTING -p tcp --dport {{forward.from}} -j REDIRECT --to-port {{forward.to}} 24 | {% endfor %} 25 | {% for forward in iptables_forwarded_udp_ports %} 26 | $IPTABLES -t nat -I PREROUTING -p udp --dport {{forward.from}} -j REDIRECT --to-port {{forward.to}} 27 | {% endfor %} 28 | 29 | # Allowed ports. 30 | {% for port in iptables_allowed_tcp_ports %} 31 | $IPTABLES -A INPUT -p tcp -m tcp --dport {{port}} -j ACCEPT 32 | {% endfor %} 33 | {% for port in iptables_allowed_udp_ports %} 34 | $IPTABLES -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT 35 | {% endfor %} 36 | 37 | # Accept ICMP packets (it allows ping for example) 38 | $IPTABLES -A INPUT -p icmp -j ACCEPT 39 | 40 | # Allow NTP traffic for time synchronization. 41 | $IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT 42 | $IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT 43 | 44 | # Raw rules 45 | {% for rule in iptables_raw_rules %} 46 | $IPTABLES {{rule}} 47 | {% endfor %} 48 | 49 | # Allow established connections: 50 | $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 51 | 52 | {% if iptables_logging %} 53 | # Logging 54 | $IPTABLES -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by iptables: " 55 | {% endif %} 56 | 57 | {% if iptables_deny_all %} 58 | # Drop all other 59 | $IPTABLES -A INPUT -j DROP 60 | {% endif %} 61 | -------------------------------------------------------------------------------- /templates/etc/network/if-up.d/iptables_load.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This file was generated by Ansible for {{ansible_fqdn}} 4 | # Do NOT modify this file by hand! 5 | 6 | {{iptables_rules_path}} 7 | exit $? 8 | -------------------------------------------------------------------------------- /test.yml: -------------------------------------------------------------------------------- 1 | - hosts: all 2 | tasks: 3 | - include: 'tasks/main.yml' 4 | handlers: 5 | - include: 'handlers/main.yml' 6 | vars_files: 7 | - 'defaults/main.yml' 8 | -------------------------------------------------------------------------------- /vars/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | -------------------------------------------------------------------------------- /vars/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | iptables_confdir: /etc/sysconfig 4 | iptables_rules_path: "{{ iptables_confdir }}/iptables" # Path to rule file 5 | iptables_load_path: "" 6 | --------------------------------------------------------------------------------