I am currently looking into ansibles to store my configurations and deploy services more easily.
I have couple of iptable rules in /etc/iptables/rules.v4, which I can easily restore. Meanwhile, ansible has iptable role for configurations - hence, I am confused on what approach to take.
How do I persist this rules, especially across reboots? Should I rerun ansible every time on each reboot? I am at loss on how to best manage iptables, as other services can interact with it. How do you folks handle this? Thanks in advance!
You must log in or register to comment.
I second the use of nftables instead. Optimally with a pre-made role like this one: https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/documentation/
You want something outside of IPtables like Firewalld. Ansible should only run to make changes to a existing system.
Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology.
nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in
/etc/nftables.conf, then I have a very simple systemd unit:[Unit] Description=Restore nftables firewall rules Before=network-pre.target [Service] Type=oneshot ExecStart=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush table inet filter RemainAfterExit=yes [Install] WantedBy=multi-user.targetand finally if I push updates via ansible I simply replace the file and run
nft -f /etc/nftables.conf(via ansible; on-change event).Edit: oh and as an example how the actual rules file looks like:
#!/usr/bin/nft -f add table inet filter flush table inet filter table inet filter { chain input { type filter hook input priority 0; # allow established/related connections ct state {established, related} accept # early drop of invalid connections ct state invalid drop # allow from loopback iifname lo accept # allow icmp ip protocol icmp accept ip6 nexthdr icmpv6 accept # core services tcp dport {80, 443} accept comment "allow http(s)" udp dport 443 accept comment "allow http3" # everything else reject with icmpx type port-unreachable } }and with that I have my ipv4+6 firewall that allows pings and http
Thanks, but I looked up and learned to prefer the idempotence to be handled by ansible. Ansible support iptables by default, while nftables need a plugin, so iptables it is for me.
If I understand you want iptables to be persistent across reboots? Would the following be useful?:
apt-get update -y && apt-get install iptables-persistent -y service netfilter-persistent saveI have no clue about ansible as I have not explored that region of selfhosting yet. It’s on the list tho.
I have used both, can tell you that a template file of
/etc/iptables/rules.v4withiptables-persistentis the easiest way.if you go the full IaC route and have vars for the rules, remember to get iptables to save its state after you have applied your rules
Thank you! Templating rules.v4 is a pretty attractive option. Though my VPS has some portions of the file which should be unmodified, so I would have to avoid this method.
That’s the point of the template, you change the bits the need change and the bits that are static get templated
How do I keep some of the existing firewall rules (which is dependent on host) in the remote file, and change the other parts?
You could either copy them to the top of your template, or you could take a look at the blockinfile module
Thanks a lot! I will go with the blockinfile, sounds promising.
The way I have my file, is a load of default stuff. Like block windows ports and allow SSH.
With a for loop that adds stuff for a specific host, like allow http/s for the web server.
Generally, you set up a rule + command playbook, where the command invokes the iptables-save command.
Yeah,
ansible.builtin.iptablesmakes the changes and the task then notifies a handler to invokeiptables-save.There’s a bunch of posts about the iptables-save function of the built-in iptables module not working in many cases, so I figured it was a safer bet to suggest the playbook include an actual command invocation.
In my personal experience, the module doesnt actually save the persistent rule in about half the cases. I haven’t looked into it much, but it seems happen more on systems where systemd iptables-firewall is present. (Not trying to start a flame war)
Sorry for being unclear, that’s what I meant. Set rules using the Ansible module, make them persistent by notifying a handler that makes a cmd call.
For your information, iptables should not be used anymore. It has been deprecated. Nowadays you should use nftables, it’s successor made by the same company.
