kowabunga.cloud.firewall role – Install, configure, and start iptables or nftables based firewall.

Note

This role is part of the kowabunga.cloud collection (version 0.1.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install kowabunga.cloud.

To use it in a playbook, specify: kowabunga.cloud.firewall.

Entry point main – Install, configure, and start iptables or nftables based firewall.

Synopsis

  • Install, configure, and start iptables or nftables based firewall.

Parameters

Parameter

Comments

kowabunga_firewall_dnat_rules

list / elements=dictionary

List of DNAT rules to be applied.

Only relevant when nftables firewall mode is enabled.

Default: []

dest

string / required

Destination IP address to NAT to.

iface

string / required

Name of the network interface.

Usually the one holding the public IP address.

name

string

User-friendly rule name, description or comment.

ports

list / elements=string / required

List of ports to NAT to (e.g. 80, 443 …)

protocol

string / required

Protocol to accept

Choices:

  • "tcp"

  • "udp"

kowabunga_firewall_enabled

boolean

Turn on iptables on public (i.e. Internet-facing) network interface.

Useless if no public network interface is to be found.

Setup a deny-all filtering policy, with blocked ICMP requests and explicitly opened UDP/TCP ports.

Private network interface remains unfiltered.

Choices:

  • false ← (default)

  • true

kowabunga_firewall_forward_interfaces

list / elements=string

List of network interfaces that shall be added as accept all in LAN/VLAN interfaces.

Used for inter-VLANs communication.

Default: []

kowabunga_firewall_lan_extra_nft_rules

list / elements=dictionary

List of extra LAN firewall rules to be applied.

Default: []

action

string / required

Action to be performed.

Choices:

  • "accept"

  • "drop"

  • "reject"

  • "log"

dport

string

Destination port.

All if unspecified.

from

string / required

Source IP address, CIDR formatted.

name

string

User friendly rule name, description or comment.

protocol

string

Name of network protocol to be used.

Example: udp, tcp, other custom ones …

to

string / required

Destination IP address, CIDR formatted.

kowabunga_firewall_mode

string

Defines which firewalling stack is to be configured

Choices:

  • "iptables" ← (default)

  • "nftables"

kowabunga_firewall_open_tcp_ports

list / elements=integer

List of TCP ports to be explictly opened on network firewall.

Default: []

kowabunga_firewall_open_udp_ports

list / elements=integer

List of UDP ports to be explictly opened on network firewall.

Default: []

kowabunga_firewall_passthrough_enabled

boolean

Turn firewall as a pass-through router.

Source/Destination NAT will be enabled from/to any interface.

Only relevant when nftables firewall mode is enabled.

Dangerous: recommended not to use on Internet-exposed instances.

Choices:

  • false ← (default)

  • true

kowabunga_firewall_trusted_public_ips

list / elements=string

List of remote public IP addresses to be trusted, accepting SSH traffic from

CIDR formatted.

Default: []

kowabunga_firewall_wan_extra_nft_rules

list / elements=dictionary

List of extra WAN firewall rules to be applied.

Default: []

action

string / required

Action to be performed.

Choices:

  • "accept"

  • "drop"

  • "reject"

  • "log"

dport

string

Destination port.

All if unspecified.

from

string / required

Source IP address, CIDR formatted.

name

string

User friendly rule name, description or comment.

protocol

string

Name of network protocol to be used.

Example: udp, tcp, other custom ones …

to

string / required

Destination IP address, CIDR formatted.