We should have done this earlier but now that the server is running we need to ensure some level of security so we install a firewall.  The original script we used to install LAMP did not provide much security and so we will insert the new ansible tasks into the ansible_lamp playbook so that next time we use it, we get the firewall up as soon as apache is enabled.  Fortunately there is a fantastic and comprehensive firewall script for Apache already on the net thanks to Michiel Klavier, which can be found here.

We create a new task within ansible_lamp which we call 'firewall' and add rc.iptables and sysctl.conf as templates and follow the instructions in debian-security.txt for creating our ansible script.  Adding lines to files requires an ansible module called lineinfile.

The biggest problem I faced here was that the Klaver supplied iptables configuration messed with ansible access to the server, so I replaced it with the iptables configuration that I last used on my server and now I have a firewall.