--- # Docker Server Firewall Configuration # Status: READY FOR EXECUTION # Created: 2026-02-09 # # IMPORTANT: Review and customize the firewall_allowed_ports variable # based on which Docker services need external access # # Usage: # Option A - Internal Only (Most Secure): # ansible-playbook playbooks/secure-docker-server-firewall.yml -e "firewall_mode=internal" # # Option B - Selective Access: # ansible-playbook playbooks/secure-docker-server-firewall.yml -e "firewall_mode=selective" -e "external_ports=8080,9000" # # Option C - Review Current State: # ansible-playbook playbooks/secure-docker-server-firewall.yml --check - name: Configure Firewall on Docker Server hosts: docker become: true gather_facts: true vars: # Default mode: internal (most secure) firewall_mode: "{{ firewall_mode | default('internal') }}" # Ports that are always allowed essential_ports: - "22/tcp" # SSH # Docker service ports (customize based on your needs) docker_service_ports: - "5000/tcp" # Docker service - "8000/tcp" # Docker service - "8001/tcp" # Docker service - "8080/tcp" # Docker service - "8081/tcp" # Docker service - "8082/tcp" # Docker service - "8443/tcp" # Docker service (HTTPS) - "9000/tcp" # Docker service (Portainer/SonarQube?) - "11434/tcp" # Docker service (Ollama?) # Internal network subnet internal_subnet: "192.168.200.0/24" tasks: - name: Display current configuration mode ansible.builtin.debug: msg: | ╔════════════════════════════════════════════════════════════════╗ ║ Docker Server Firewall Configuration ║ ╚════════════════════════════════════════════════════════════════╝ Mode: {{ firewall_mode }} Essential Ports: {{ essential_ports }} Docker Ports: {{ docker_service_ports | length }} services Internal Subnet: {{ internal_subnet }} - name: Install UFW if not present ansible.builtin.apt: name: ufw state: present update_cache: yes - name: Reset UFW to default (if requested) community.general.ufw: state: reset when: reset_firewall | default(false) | bool - name: Set UFW default policies community.general.ufw: direction: "{{ item.direction }}" policy: "{{ item.policy }}" loop: - { direction: 'incoming', policy: 'deny' } - { direction: 'outgoing', policy: 'allow' } - name: Allow SSH (essential) community.general.ufw: rule: allow port: "{{ item.split('/')[0] }}" proto: "{{ item.split('/')[1] }}" comment: "Essential - SSH access" loop: "{{ essential_ports }}" - name: Allow Docker services from internal network only community.general.ufw: rule: allow port: "{{ item.split('/')[0] }}" proto: "{{ item.split('/')[1] }}" from_ip: "{{ internal_subnet }}" comment: "Docker service - internal only" loop: "{{ docker_service_ports }}" when: firewall_mode == 'internal' - name: Allow specific Docker services externally (selective mode) community.general.ufw: rule: allow port: "{{ item.split('/')[0] }}" proto: "{{ item.split('/')[1] }}" comment: "Docker service - external access" loop: "{{ external_ports.split(',') }}" when: - firewall_mode == 'selective' - external_ports is defined - name: Enable UFW community.general.ufw: state: enabled - name: Display firewall status ansible.builtin.shell: ufw status verbose register: ufw_status changed_when: false - name: Show configured firewall rules ansible.builtin.debug: msg: "{{ ufw_status.stdout_lines }}" - name: Display open ports ansible.builtin.shell: ss -tlnp | grep LISTEN register: open_ports changed_when: false - name: Summary ansible.builtin.debug: msg: | ╔════════════════════════════════════════════════════════════════╗ ║ Firewall Configuration Complete ║ ╚════════════════════════════════════════════════════════════════╝ Mode: {{ firewall_mode }} Status: UFW Enabled {{ ufw_status.stdout }} Next Steps: 1. Test SSH access: ssh dlxadmin@192.168.200.200 2. Test Docker services from internal network 3. If external access needed, run with firewall_mode=selective 4. Monitor: sudo ufw status numbered To modify rules later: sudo ufw allow from 192.168.200.0/24 to any port sudo ufw delete