0%

0/1 Lessons

Course Introduction

• 16min

0 / 3 lessons complete

IT Lab Setup

• 20min

0 / 3 lessons complete

Installing Ansible

• 35min

0 / 3 lessons complete

Managing your Ansible Inventory

• 2hr 7min

0 / 8 lessons complete

Ansible Basics

• 1hr 43min

0 / 9 lessons complete

Ansible Roles

• 1hr 46min

0 / 8 lessons complete

Ansible Galaxy

• 1hr 33min

0 / 6 lessons complete

Ansible Facts, Variables, Passwords and Templates

• 1hr 51min

0 / 9 lessons complete

Advanced Ansible Playbook Creation

• 1hr 41min

0 / 8 lessons complete

Course Conclusion

• 11min

0 / 1 lessons complete

Initializing a Firewall Role with Ansible Galaxy

Instructions

Q&A (0)

Notes (0)

Resources (0)

Saving Progress...

Resources

There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

In this lesson, we're going to learn how to use Ansible Galaxy to initialize a role for setting up a basic firewall using iptables on Ubuntu Server. By the end of this lesson, you'll be able to create an Ansible role to configure iptables rules, enhancing the security of your managed nodes.

In this example, we will create an ansible role that will create a logging rule to log all inbound traffic to our managed nodes.

What is iptables?

Before configuring iptables, let's take a moment to understand its role. iptables is a robust and flexible tool for network packet filtering in Linux. It serves as the foundation for setting up firewalls on a system.

Essentially, iptables allows you to define rules for how incoming, outgoing, and forwarding network traffic should be handled. In this lesson, our focus is primarily on setting up logging rules. These rules are vital for monitoring and analyzing incoming traffic, which is an integral part of maintaining and enhancing system security.

Initializing the Role with Ansible Galaxy

First, navigate to your roles directory:

cd ~/code/roles

Now let's initialize a new role for iptables using Ansible Galaxy, run:

ansible-galaxy role init iptables_setup

This command creates a new directory in our roles folder called iptables_setup with a standard structure. This structure includes directories for tasks, handlers, templates, files, vars, defaults, and more. If I tree the new directory I will see a new folder with the iptables_setup directory:

paulh@ansible-controller:~/code/roles$ tree iptables_setup/
iptables_setup/
├── defaults
│   └── main.yml
├── files
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── README.md
├── tasks
│   └── main.yml
├── templates
├── tests
│   ├── inventory
│   └── test.yml
└── vars
    └── main.yml

8 directories, 8 files

If we cat the tasks/main.yml file in our role, we can see it puts some placeholder data inside for us:

cat iptables_setup/tasks/main.yml
Ansible Galaxy Main Tasks Placeholder
Ansible Galaxy Main Tasks Placeholder

Next, we can add our tasks to configure iptables with the desired logging rules.

Discovering iptables Module and Its Configuration

Before we start writing our tasks, let's find out more about the iptables module in Ansible and what configurations it offers. Ansible documentation is the best place to start. You can view the iptables module documentation on the official Ansible documentation website.

To explore the iptables module's options and examples, you can also use the command line:

ansible-doc iptables

This command will show you a detailed description of the module, including available parameters and sample usage.

Writing Tasks for iptables Configuration

Edit the tasks/main.yml file:

nano iptables_setup/tasks/main.yml

Before we dive into configuring iptables, it's important to note that iptables usually comes pre-installed on most Ubuntu Server editions. However, if you're working on a fresh installation or a minimal Ubuntu setup, iptables might not be present.

Add the following task that will ensure that iptables is installed before moving on to the next step:

---
- name: Ensure iptables is present
  apt:
    name: iptables
    state: present

The next task in the YAML file will be to configure the logging rule. Configure the following task:

- name: Log all incoming traffic
  iptables:
    table: filter
    chain: INPUT
    jump: LOG
    log_prefix: "iptables_INPUT: "
    log_level: 5

These tasks will ensure iptables is installed, set the default policy for incoming traffic to DROP, and then loop over the iptables_allowed_ports list to allow specific services.

Add the role to our Web Servers Play

Now that we have defined the tasks for our role, let's add the role to our webservers group. cd ~/ back to the home directory where we setup Ansible, which for me is the home directory of my paulh user:

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Subscribe
Notify of
profile avatar
0 Comments
Inline Feedbacks
View all comments