Overview
The following article will act as a guide and to demonstrate the process how to configure IPtables rules using Ansible. What does this means is - by using Ansible we will create a playbook that we’re going to use to automatically set IPtables firewall rules on a remote Linux server.
This solution may prove to be a good option since not only it will do the job automatically but also enables to perform the same procedure on multiple different hosts at once.
The Ansible comes with the IPTables module bultin by default(meaning it’s in Ansible core and comes in any version of Ansible installation). On Ansibles docs website there’s a very well written documentation with even more examples - ANSIBLE IPTABLES module.
Prerequisites:
- SSH access to the Linux server
- User account with sudo privileges
How to configure IPtables rules using Ansible
What we need to do first is to write the Ansible config that we’re going to use to set the Iptables rules when we run the Ansible playbook. We’ll provide couple of examples that can be used as a base. But first, in one directory create an “inventory” file and a “yml” file that we are going to use for the Ansible playbook if your want to follow our example.
We have made the following setup in order to execute and test these playbooks:
In one directory we created an “inventory” file and a “yml” for playbooks:
touch inventory; vim $_
In the inventory file, add the IP address of the remote host, save file and exit.
Next, create the playbook:
touch configure-iptables.yml; code $_
In the following screenshots, here are the configurations for the IPtables rules in Ansible and these are explained in the headings down bellow.
IPtables rules with Ansible
IPtables rules with Ansible
To test and execute the Ansible playbook, we used the following command:
ansible-playbook -u markon -k -K -i inventory configure-iptables.yml
In the Ansible command we provided the sudo user, set options for Ansible to prompt us the SSH password and password of the sudo user to gain sudo privileges, defined the inventory file and the Ansible playbook we’re running.
Example of the end result is in the next screenshots:
Set allow rule on Iptables using Ansible
Allow HTTP and HTTPS on IPtables with Ansible
The allow rules are almost self-explanatory and they pretty much match the IPtables syntax.
- name: Allow HTTP
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 80
ctstate: NEW
jump: ACCEPT
comment: Allow HTTP
become: true
- name: Allow HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 443
ctstate: NEW
jump: ACCEPT
comment: Allow HTTPS
become: true
Set deny rule on Iptables using Ansible
How to block an IP address on IPtables with Ansible
- name: Block and Forward
tasks:
- name: Block specific IP
ansible.builtin.iptables:
chain: INPUT
source: 10.10.20.3
jump: DROP
become: yes
Set port forwarding on Ipables using Ansible
Port forwarding on IPtables with Ansible
Note - Configuration is an example and with port forwarding you must match the “in_interface” of your Linux server machine.
- name: Forward port 80 to 8800
ansible.builtin.iptables:
table: nat
chain: PREROUTING
in_interface: eth0
protocol: tcp
match: tcp
destination_port: 80
jump: REDIRECT
to_ports: 8600
comment: Redirect web traffic to port 8800
become: yes
Set allow rule on multiple ports and range at once
Allow connection on range of ports on IPtabbles with Ansible
- name: Allow connections on multiple ports
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_ports:
- "80"
- "443"
- "8081:8083"
jump: ACCEPT
become: yes
Summary
In this guide we have demonstrated the procedure how to configure IPtables rules using Ansible. We also covered couple of example how to define allow and deny rules on IPtables with Ansible, how to apply a port forwarding rule and how to target multiple and a range or ports at once.
Thank you very much for your time…