This is great stuff, thanks! On Tue, Nov 26, 2013 at 5:02 AM, Nick Groenen <[email protected]> wrote: > On Mon, Nov 25, 2013 at 11:04 PM, James Martin <[email protected]> wrote: >> Does this sound kosher? > > Yes it does, this is almost the same approach I've taken. There's a > few gotcha's to be aware of, however. > > - iptables has multiple tables (filter, nat, mangle, raw and security, > I believe), "filter" is just the default table. If you're > concatenating your fragments together like this, you're locked into > always using filter for your rules. I solved this by: > * Having per-table begin and end snippets, with the table name > prefixed to the snippet name > * Having per-table snippets with actual rules, again with the table > name prefixed to the snippet name > > - iptables and ip6tables have their own iptables-restore and > ip6tables-restore respectively, so you need two sets of snippets, one > for ipv4 and one for ipv6. Although 90% of your rules will probably > look identical, there are subtle nuances so I would stress not to try > and use the same rules-file for iptables and ip6tables. > > - fail2ban [1] and other similar tools that add their own chains, have > these chains wiped out when iptables-restore is run. My "firewall > activate" role fires a handler which restarts fail2ban for this > reason. > > I wrote a small module [2] to help with making snippets in other roles > though, as using template or copy for it felt like exposing too much > implementation detail. I still supply the rule in a "raw" form, but > allow the module to abstract away a few things. This way I can just > set present/absent on it, specify the iptables version (4 or 6) as > well as the table (with a default of "filter"). In playbooks, it looks > like this: > > - name: Open up firewall ports 80 and 443 > iptables: > state: present > ipversion: "{{ item.version }}" > name: "{{ item.name }}" > rules: "{{ item.rules }}" > with_items: > - name: 50_nginx > version: 4 > rules: | > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > - name: 50_nginx > version: 6 > rules: | > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > when: nginx_firewall_integration|default(False) > > Since in this case (usually it will be this way, but not always) the > rules for 4 and 6 are identical, it can also be condensed to: > > - name: Open up firewall ports 80 and 443 > iptables: > state: present > ipversion: "{{ item }}" > name: 50_nginx > rules: | > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > with_items: [4,6] > when: nginx_firewall_integration|default(False) > > > [1]: http://www.fail2ban.org > [2]: https://gist.github.com/zoni/7655561 > > -- > Nick Groenen | zoni | @NickGroenen > https://zoni.nl | GnuPG/GPG key ID: 0xAB5382F6 > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out.
-- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
