So I've been thinking through a clean way to build iptables rules sets with some re-use between debian/ubuntu/redhat/centos world, and this is the strategy I've come up with in pseudo code:
in a common bootstrap role: create /etc/syconfig/iptables.d in a debian/ubuntu bootstrap role: install iptables-persist, disable ufw In any of your application roles, have a template or file with contents like: -A INPUT -p tcp -m state --state NEW -m tcp --dport 4369 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 6000:7999 -j ACCEPT that gets dropped into /etc/sysconfig/iptables.d In a "chinstrap" role (runs after all other roles), use the assemble module to sum everything in /etc/sysconfig/iptables.d/ together and place it in /etc/sysconfig/iptables (RedHat) or /etc/iptables/v4.rules (Ubuntu), and notify a handler to restart iptables if the assembled file has changed. The tricky part was the ordering, but that seems ok -- the chinstrap role creates a segment named 0000-begin that contains all the necessary beginning entries for the iptables config, and zzzz-end that contains the ending bits. Everything else gets merged in between begin & end. Does this sound kosher? It works in the technical sense. If only firewalld existed in RHEL < 7. - James -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
