Initializing a Firewall Role with Ansible Galaxy
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
Instructions
Q&A (0)
Notes (0)
Resources (0)
Saving Progress...
Resources
There are no resources for this lesson.
Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.
In this lesson, we're going to learn how to use Ansible Galaxy to initialize a role for setting up a basic firewall using iptables on Ubuntu Server. By the end of this lesson, you'll be able to create an Ansible role to configure iptables rules, enhancing the security of your managed nodes.
In this example, we will create an ansible role that will create a logging rule to log all inbound traffic to our managed nodes.
What is iptables?
Before configuring iptables, let's take a moment to understand its role. iptables is a robust and flexible tool for network packet filtering in Linux. It serves as the foundation for setting up firewalls on a system.
Essentially, iptables allows you to define rules for how incoming, outgoing, and forwarding network traffic should be handled. In this lesson, our focus is primarily on setting up logging rules. These rules are vital for monitoring and analyzing incoming traffic, which is an integral part of maintaining and enhancing system security.
Initializing the Role with Ansible Galaxy
First, navigate to your roles directory:
cd ~/code/roles
Now let's initialize a new role for iptables using Ansible Galaxy, run:
ansible-galaxy role init iptables_setup
This command creates a new directory in our roles folder called iptables_setup
with a standard structure. This structure includes directories for tasks, handlers, templates, files, vars, defaults, and more. If I tree
the new directory I will see a new folder with the iptables_setup directory:
paulh@ansible-controller:~/code/roles$ tree iptables_setup/
iptables_setup/
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ └── main.yml
├── templates
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
8 directories, 8 files
If we cat
the tasks/main.yml
file in our role, we can see it puts some placeholder data inside for us:
cat iptables_setup/tasks/main.yml
Next, we can add our tasks to configure iptables with the desired logging rules.
Discovering iptables Module and Its Configuration
Before we start writing our tasks, let's find out more about the iptables module in Ansible and what configurations it offers. Ansible documentation is the best place to start. You can view the iptables module documentation on the official Ansible documentation website.
To explore the iptables module's options and examples, you can also use the command line:
ansible-doc iptables
This command will show you a detailed description of the module, including available parameters and sample usage.
Writing Tasks for iptables Configuration
Edit the tasks/main.yml
file:
nano iptables_setup/tasks/main.yml
Before we dive into configuring iptables, it's important to note that iptables usually comes pre-installed on most Ubuntu Server editions. However, if you're working on a fresh installation or a minimal Ubuntu setup, iptables might not be present.
Add the following task that will ensure that iptables is installed before moving on to the next step:
---
- name: Ensure iptables is present
apt:
name: iptables
state: present
The next task in the YAML file will be to configure the logging rule. Configure the following task:
- name: Log all incoming traffic
iptables:
table: filter
chain: INPUT
jump: LOG
log_prefix: "iptables_INPUT: "
log_level: 5
These tasks will ensure iptables is installed, set the default policy for incoming traffic to DROP, and then loop over the iptables_allowed_ports
list to allow specific services.
Add the role to our Web Servers Play
Now that we have defined the tasks for our role, let's add the role to our webservers group. cd ~/
back to the home directory where we setup Ansible, which for me is the home directory of my paulh user:
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.