147 lines
5.2 KiB
YAML
147 lines
5.2 KiB
YAML
---
|
|
# Docker Server Firewall Configuration
|
|
# Status: READY FOR EXECUTION
|
|
# Created: 2026-02-09
|
|
#
|
|
# IMPORTANT: Review and customize the firewall_allowed_ports variable
|
|
# based on which Docker services need external access
|
|
#
|
|
# Usage:
|
|
# Option A - Internal Only (Most Secure):
|
|
# ansible-playbook playbooks/secure-docker-server-firewall.yml -e "firewall_mode=internal"
|
|
#
|
|
# Option B - Selective Access:
|
|
# ansible-playbook playbooks/secure-docker-server-firewall.yml -e "firewall_mode=selective" -e "external_ports=8080,9000"
|
|
#
|
|
# Option C - Review Current State:
|
|
# ansible-playbook playbooks/secure-docker-server-firewall.yml --check
|
|
|
|
- name: Configure Firewall on Docker Server
|
|
hosts: docker
|
|
become: true
|
|
gather_facts: true
|
|
|
|
vars:
|
|
# Default mode: internal (most secure)
|
|
firewall_mode: "{{ firewall_mode | default('internal') }}"
|
|
|
|
# Ports that are always allowed
|
|
essential_ports:
|
|
- "22/tcp" # SSH
|
|
|
|
# Docker service ports (customize based on your needs)
|
|
docker_service_ports:
|
|
- "5000/tcp" # Docker service
|
|
- "8000/tcp" # Docker service
|
|
- "8001/tcp" # Docker service
|
|
- "8080/tcp" # Docker service
|
|
- "8081/tcp" # Docker service
|
|
- "8082/tcp" # Docker service
|
|
- "8443/tcp" # Docker service (HTTPS)
|
|
- "9000/tcp" # Docker service (Portainer/SonarQube?)
|
|
- "11434/tcp" # Docker service (Ollama?)
|
|
|
|
# Internal network subnet
|
|
internal_subnet: "192.168.200.0/24"
|
|
|
|
tasks:
|
|
- name: Display current configuration mode
|
|
ansible.builtin.debug:
|
|
msg: |
|
|
╔════════════════════════════════════════════════════════════════╗
|
|
║ Docker Server Firewall Configuration ║
|
|
╚════════════════════════════════════════════════════════════════╝
|
|
|
|
Mode: {{ firewall_mode }}
|
|
Essential Ports: {{ essential_ports }}
|
|
Docker Ports: {{ docker_service_ports | length }} services
|
|
Internal Subnet: {{ internal_subnet }}
|
|
|
|
- name: Install UFW if not present
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Reset UFW to default (if requested)
|
|
community.general.ufw:
|
|
state: reset
|
|
when: reset_firewall | default(false) | bool
|
|
|
|
- name: Set UFW default policies
|
|
community.general.ufw:
|
|
direction: "{{ item.direction }}"
|
|
policy: "{{ item.policy }}"
|
|
loop:
|
|
- { direction: 'incoming', policy: 'deny' }
|
|
- { direction: 'outgoing', policy: 'allow' }
|
|
|
|
- name: Allow SSH (essential)
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.split('/')[0] }}"
|
|
proto: "{{ item.split('/')[1] }}"
|
|
comment: "Essential - SSH access"
|
|
loop: "{{ essential_ports }}"
|
|
|
|
- name: Allow Docker services from internal network only
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.split('/')[0] }}"
|
|
proto: "{{ item.split('/')[1] }}"
|
|
from_ip: "{{ internal_subnet }}"
|
|
comment: "Docker service - internal only"
|
|
loop: "{{ docker_service_ports }}"
|
|
when: firewall_mode == 'internal'
|
|
|
|
- name: Allow specific Docker services externally (selective mode)
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.split('/')[0] }}"
|
|
proto: "{{ item.split('/')[1] }}"
|
|
comment: "Docker service - external access"
|
|
loop: "{{ external_ports.split(',') }}"
|
|
when:
|
|
- firewall_mode == 'selective'
|
|
- external_ports is defined
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
|
|
- name: Display firewall status
|
|
ansible.builtin.shell: ufw status verbose
|
|
register: ufw_status
|
|
changed_when: false
|
|
|
|
- name: Show configured firewall rules
|
|
ansible.builtin.debug:
|
|
msg: "{{ ufw_status.stdout_lines }}"
|
|
|
|
- name: Display open ports
|
|
ansible.builtin.shell: ss -tlnp | grep LISTEN
|
|
register: open_ports
|
|
changed_when: false
|
|
|
|
- name: Summary
|
|
ansible.builtin.debug:
|
|
msg: |
|
|
╔════════════════════════════════════════════════════════════════╗
|
|
║ Firewall Configuration Complete ║
|
|
╚════════════════════════════════════════════════════════════════╝
|
|
|
|
Mode: {{ firewall_mode }}
|
|
Status: UFW Enabled
|
|
|
|
{{ ufw_status.stdout }}
|
|
|
|
Next Steps:
|
|
1. Test SSH access: ssh dlxadmin@192.168.200.200
|
|
2. Test Docker services from internal network
|
|
3. If external access needed, run with firewall_mode=selective
|
|
4. Monitor: sudo ufw status numbered
|
|
|
|
To modify rules later:
|
|
sudo ufw allow from 192.168.200.0/24 to any port <PORT>
|
|
sudo ufw delete <RULE_NUMBER>
|