Ansible role that sets iptables firewall rules to protect an openwisp2 instance (see ansible-openwisp2) on debian and ubuntu systems.
- hosts: all
roles:
- openwisp.openwisp2-iptables
vars:
# Allowed SSH port, defaults to 22
openwisp2_iptables_ssh_port: 22
# Configure rules to allow traffic for VPN interfaces.
# You can specify port, protocol and interface name
# for multiple VPN interfaces as show below
openwisp2_iptables_vpn_rules:
# OpenVPN
- protocol: udp
port: 1194
interface: tun0
# WireGuard:
- protocol: udp
port: 51820
interface: wg0
# Configure ports to allow traffic for the SMTP mail server
openwisp2_iptables_smtp_ports: [25, 587]
# Configure ports to allow traffic for the FreeRADIUS server
openwisp2_iptables_freeradius_ports: [1812, 1813]
# Destination IP for incoming FreeRADIUS traffic
openwisp2_iptables_freeradius_destination: 10.8.0.1
# Configure IP addresses that would be allowed to send traffic
# to WireGuard updater Flask app
openwisp2_iptables_wireguard_flask_src_ips: []
# Configure port to allow traffic for the WireGuard updater
# Flask app
openwisp2_iptables_wireguard_flask_port: 8081
# Configure port to allow traffic (both TCP and UDP) for
# the Iperf3 server
openwisp2_iptables_iperf_port: 5201
# Configure port to allow traffic for the OWLP internet mode
# webpage
openwisp2_iptables_owlp_internet_mode_port: null
# Configure additional iptables rule using the following variable
openwisp2_iptables_additional_rules: []
# Allow input HTTP traffic
openwisp2_iptables_input_http: true
# Allow input HTTPS traffic
openwisp2_iptables_input_https: true
Note: By default, all incoming traffic is dropped except for SSH, HTTP and HTTPS. If you don't configure any of the variables above, then traffic for that service will be dropped.