Modify Ansible UFW Role to Use iptables-save Format

[kayiwa]

This issue proposes modifying our Ansible UFW role to manage the firewall configuration using the iptables-save format. This will provide a more robust and flexible way to define and maintain firewall rules.

Rationale:

Currently, the UFW role may rely on the ufw command-line utility to manage rules. While functional, this approach has limitations:

• Limited expressiveness: The ufw command provides a simplified interface, which can be restrictive when defining complex rules or using advanced features of iptables.
• Lack of direct control: Managing rules through ufw can be less transparent and may not provide direct control over the underlying iptables configuration.

Using the iptables-save format in a template offers several advantages:

• Full control: We can define any valid iptables rule, including those not directly supported by ufw.
• Improved readability: The iptables-save format is well-structured and easier to read and understand, making it simpler to manage complex firewall configurations.
• Idempotency: Ansible can effectively manage the template, ensuring that the firewall configuration is always in the desired state.

Tasks:

1. Update the UFW Role:

   • Create a new template file (e.g., iptables.j2) within the role's templates directory.
   • Define the firewall rules in the template using the iptables-save format.
   • Include variables in the template to allow for customization (e.g., allowed IP addresses, ports, services).
   • Modify the role's tasks to use the template module to generate the iptables configuration file from the template.
   • Add a task to load the generated configuration using the iptables-restore command.

2. Example iptables.j2 Template:

*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
... (other chains)

RULES
{% for rule in rules %}
-A ufw-user-input -p {{ rule.protocol }} -s {{ rule.source }} --dport {{ rule.port }} -j {{ rule.action }}
{% endfor %}
-A ufw-user-input -j DROP

END RULES
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

3. Testing and Validation:
   • Create Molecule tests to verify the role's functionality and ensure the generated firewall configuration is correct.
   • Test the role on different Ubuntu Jammy systems to ensure compatibility.

Example Playbook:

- hosts: your_servers
 roles:
   - ufw
 vars:
   rules:
     - protocol: tcp
       source: 10.0.0.0/8
       port: 22
       action: ACCEPT
     - protocol: tcp
       source: 192.168.1.0/24
       port: 80
       action: ACCEPT

Benefits:

• Enhanced Flexibility: Easily define complex firewall rules and leverage advanced iptables features.
• Improved Maintainability: Manage firewall configurations in a more structured and readable format.
• Increased Reliability: Ensure consistent and idempotent firewall configuration across systems.