This role can be used to manage TCP Wrappers rules located in /etc/hosts.allow (by default all hosts will be denied access in /etc/hosts.deny, but this can be disabled by a variable).

Other roles can use this role as a dependency to manage access to their own services (for example, debops.mysql, debops.sshd).

By default, tcpwrappers will be configured to block access from everywhere except localhost (relative to remote host) and Ansible Controller.


This role requires at least Ansible v1.7.0. To install it, run:

ansible-galaxy install debops.tcpwrappers

Role variables

List of default variables available in the inventory:


# Should Ansible manage tcpwrappers configuration?
tcpwrappers: True

# Optional list of CIDR hosts which will be allowed to connect to sshd service.
# Entries are saved in the local facts on remote hosts.
# Remember to specify IP address from the remote host point of view.
# Format: "IP address/netmask", for example: ''
tcpwrappers_ansible_controllers: []

# Deny access from all hosts/networks by default?
tcpwrappers_deny_all: True

# Lists of /etc/hosts.allow entries. Example entry below
tcpwrappers_allow: []
tcpwrappers_group_allow: []
tcpwrappers_host_allow: []

  #- daemon: 'ALL'            # daemon to configure (sshd, mysqld, etc.)
  #  client: []               # list of host or network addresses.
                              # If empty, entry will be removed
  #  weight: '10'             # filename prefix, helps with sorting, optional
  #  filename: ''             # custom filename, optional
  #  comment: ''              # comment, optional

  #- custom: |                  # custom, free-form text block (filename required)
  #    # Custom entry
  #    # Text block
  #  filename: 'custom_entry'

# Access from localhost
  - daemon: 'ALL'
    client: [ '', '[::1]/128' ]
    comment: 'Access from localhost'
    filename: 'allow_localhost'
    weight: '06'

Authors and license

debops.tcpwrappers role was written by:

License: GPLv3