Overview

The following article will act as a guide and to demonstrate the process how to configure IPtables rules using Ansible. What does this means is - by using Ansible we will create a playbook that we’re going to use to automatically set IPtables firewall rules on a remote Linux server.

This solution may prove to be a good option since not only it will do the job automatically but also enables to perform the same procedure on multiple different hosts at once.

The Ansible comes with the IPTables module bultin by default(meaning it’s in Ansible core and comes in any version of Ansible installation). On Ansibles docs website there’s a very well written documentation with even more examples - ANSIBLE IPTABLES module.

Prerequisites:

  • SSH access to the Linux server
  • User account with sudo privileges

How to configure IPtables rules using Ansible

What we need to do first is to write the Ansible config that we’re going to use to set the Iptables rules when we run the Ansible playbook. We’ll provide couple of examples that can be used as a base. But first, in one directory create an “inventory” file and a “yml” file that we are going to use for the Ansible playbook if your want to follow our example.

We have made the following setup in order to execute and test these playbooks:

In one directory we created an “inventory” file and a “yml” for playbooks:

touch inventory; vim $_

In the inventory file, add the IP address of the remote host, save file and exit.

Next, create the playbook:

touch configure-iptables.yml; code $_

In the following screenshots, here are the configurations for the IPtables rules in Ansible and these are explained in the headings down bellow.

Configure IPtables rules using Ansible

IPtables rules with Ansible

Configure IPtables rules using Ansible

IPtables rules with Ansible

To test and execute the Ansible playbook, we used the following command:

ansible-playbook -u markon -k -K -i inventory configure-iptables.yml

In the Ansible command we provided the sudo user, set options for Ansible to prompt us the SSH password and password of the sudo user to gain sudo privileges, defined the inventory file and the Ansible playbook we’re running.

Example of the end result is in the next screenshots:

Configure IPtables rules using Ansible

Configure IPtables rules using Ansible

Set allow rule on Iptables using Ansible

Allow HTTP and HTTPS on IPtables with Ansible

The allow rules are almost self-explanatory and they pretty much match the IPtables syntax.

- name: Allow HTTP
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
        destination_port: 80
        ctstate: NEW
        jump: ACCEPT
        comment: Allow HTTP
      become: true

- name: Allow HTTPS
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
        destination_port: 443
        ctstate: NEW
        jump: ACCEPT
        comment: Allow HTTPS
      become: true

Set deny rule on Iptables using Ansible

How to block an IP address on IPtables with Ansible

- name: Block and Forward
  tasks:
  - name: Block specific IP
    ansible.builtin.iptables:
      chain: INPUT
      source: 10.10.20.3
      jump: DROP
    become: yes

Set port forwarding on Ipables using Ansible

Port forwarding on IPtables with Ansible

Note - Configuration is an example and with port forwarding you must match the “in_interface” of your Linux server machine.

- name: Forward port 80 to 8800
    ansible.builtin.iptables:
      table: nat
      chain: PREROUTING
      in_interface: eth0
      protocol: tcp
      match: tcp
      destination_port: 80
      jump: REDIRECT
      to_ports: 8600
      comment: Redirect web traffic to port 8800
    become: yes

Set allow rule on multiple ports and range at once

Allow connection on range of ports on IPtabbles with Ansible

- name: Allow connections on multiple ports
  ansible.builtin.iptables:
    chain: INPUT
    protocol: tcp
    destination_ports:
      - "80"
      - "443"
      - "8081:8083"
    jump: ACCEPT
  become: yes

Summary

In this guide we have demonstrated the procedure how to configure IPtables rules using Ansible. We also covered couple of example how to define allow and deny rules on IPtables with Ansible, how to apply a port forwarding rule and how to target multiple and a range or ports at once.

Thank you very much for your time…