On Mon, Nov 25, 2013 at 11:04 PM, James Martin <[email protected]> wrote:
> Does this sound kosher?
Yes it does, this is almost the same approach I've taken. There's a
few gotcha's to be aware of, however.
- iptables has multiple tables (filter, nat, mangle, raw and security,
I believe), "filter" is just the default table. If you're
concatenating your fragments together like this, you're locked into
always using filter for your rules. I solved this by:
* Having per-table begin and end snippets, with the table name
prefixed to the snippet name
* Having per-table snippets with actual rules, again with the table
name prefixed to the snippet name
- iptables and ip6tables have their own iptables-restore and
ip6tables-restore respectively, so you need two sets of snippets, one
for ipv4 and one for ipv6. Although 90% of your rules will probably
look identical, there are subtle nuances so I would stress not to try
and use the same rules-file for iptables and ip6tables.
- fail2ban [1] and other similar tools that add their own chains, have
these chains wiped out when iptables-restore is run. My "firewall
activate" role fires a handler which restarts fail2ban for this
reason.
I wrote a small module [2] to help with making snippets in other roles
though, as using template or copy for it felt like exposing too much
implementation detail. I still supply the rule in a "raw" form, but
allow the module to abstract away a few things. This way I can just
set present/absent on it, specify the iptables version (4 or 6) as
well as the table (with a default of "filter"). In playbooks, it looks
like this:
- name: Open up firewall ports 80 and 443
iptables:
state: present
ipversion: "{{ item.version }}"
name: "{{ item.name }}"
rules: "{{ item.rules }}"
with_items:
- name: 50_nginx
version: 4
rules: |
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
- name: 50_nginx
version: 6
rules: |
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
when: nginx_firewall_integration|default(False)
Since in this case (usually it will be this way, but not always) the
rules for 4 and 6 are identical, it can also be condensed to:
- name: Open up firewall ports 80 and 443
iptables:
state: present
ipversion: "{{ item }}"
name: 50_nginx
rules: |
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
with_items: [4,6]
when: nginx_firewall_integration|default(False)
[1]: http://www.fail2ban.org
[2]: https://gist.github.com/zoni/7655561
--
Nick Groenen | zoni | @NickGroenen
https://zoni.nl | GnuPG/GPG key ID: 0xAB5382F6
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
