Configure IPtables rules using Ansible
The following article will act as a guide and to demonstrate the process how to configure IPtables rules using Ansible. What does this means is – by using Ansible we will create a playbook that we’re going to use to automatically set IPtables firewall rules on a remote Linux server.
This solution may prove to be a good option since not only it will do the job automatically but also enables to perform the same procedure on multiple different hosts at once.
The Ansible comes with the IPTables module bultin by default(meaning it’s in Ansible core and comes in any version of Ansible installation). On Ansibles docs website there’s a very well written documentation with even more examples – ANSIBLE IPTABLES module.
- SSH access to the Linux server
- User account with sudo privileges
How to configure IPtables rules using Ansible
What we need to do first is to write the Ansible config that we’re going to use to set the Iptables rules when we run the Ansible playbook. We’ll provide couple of examples that can be used as a base. But first, in one directory create an “inventory” file and a “yml” file that we are going to use for the Ansible playbook if your want to follow our example.
We have made the following setup in order to execute and test these playbooks:
In one directory we created an “inventory” file and a “yml” for playbooks:
touch inventory; vim $_
In the inventory file, add the IP address of the remote host, save file and exit.
Next, create the playbook:
touch configure-iptables.yml; code $_
In the following screenshots, here are the configurations for the IPtables rules in Ansible and these are explained in the headings down bellow.
To test and execute the Ansible playbook, we used the following command:
ansible-playbook -u markon -k -K -i inventory configure-iptables.yml
In the Ansible command we provided the sudo user, set options for Ansible to prompt us the SSH password and password of the sudo user to gain sudo privileges, defined the inventory file and the Ansible playbook we’re running.
Example of the end result is in the next screenshots:
Set allow rule on Iptables using Ansible
Allow HTTP and HTTPS on IPtables with Ansible
The allow rules are almost self-explanatory and they pretty much match the IPtables syntax.
- name: Allow HTTP ansible.builtin.iptables: chain: INPUT protocol: tcp destination_port: 80 ctstate: NEW jump: ACCEPT comment: Allow HTTP become: true - name: Allow HTTPS ansible.builtin.iptables: chain: INPUT protocol: tcp destination_port: 443 ctstate: NEW jump: ACCEPT comment: Allow HTTPS become: true
Set deny rule on Iptables using Ansible
How to block an IP address on IPtables with Ansible
- name: Block and Forward tasks: - name: Block specific IP ansible.builtin.iptables: chain: INPUT source: 10.10.20.3 jump: DROP become: yes
Set port forwarding on Ipables using Ansible
Port forwarding on IPtables with Ansible
Note – Configuration is an example and with port forwarding you must match the “in_interface” of your Linux server machine.
- name: Forward port 80 to 8800 ansible.builtin.iptables: table: nat chain: PREROUTING in_interface: eth0 protocol: tcp match: tcp destination_port: 80 jump: REDIRECT to_ports: 8600 comment: Redirect web traffic to port 8800 become: yes
Set allow rule on multiple ports and range at once
Allow connection on range of ports on IPtabbles with Ansible
- name: Allow connections on multiple ports ansible.builtin.iptables: chain: INPUT protocol: tcp destination_ports: - "80" - "443" - "8081:8083" jump: ACCEPT become: yes
In this guide we have demonstrated the procedure how to configure IPtables rules using Ansible. We also covered couple of example how to define allow and deny rules on IPtables with Ansible, how to apply a port forwarding rule and how to target multiple and a range or ports at once.
Thank you very much for your time…