Hi James, If you do not mind using a tool, ferm [1] configuration is very, very close to close to the iptables syntax and includes an @include statement that makes the assemble step unnecessary. Oh, and it has syntax for managing the ipv4/ipv6 duplication.
[1] http://ferm.foo-projects.org/ Regards, Joost Op maandag 25 november 2013 23:04:37 UTC+1 schreef James Martin: > > So I've been thinking through a clean way to build iptables rules sets > with some re-use between debian/ubuntu/redhat/centos world, and this > is the strategy I've come up with in pseudo code: > > in a common bootstrap role: > > create /etc/syconfig/iptables.d > > in a debian/ubuntu bootstrap role: > install iptables-persist, disable ufw > > In any of your application roles, have a template or file with contents > like: > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 4369 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 6000:7999 -j ACCEPT > > that gets dropped into /etc/sysconfig/iptables.d > > In a "chinstrap" role (runs after all other roles), use the assemble > module to sum everything in /etc/sysconfig/iptables.d/ together and > place it in /etc/sysconfig/iptables (RedHat) or /etc/iptables/v4.rules > (Ubuntu), and notify a handler to restart iptables if the assembled > file has changed. > > The tricky part was the ordering, but that seems ok -- the chinstrap > role creates a segment named 0000-begin that contains all the > necessary beginning entries for the iptables config, and zzzz-end that > contains the ending bits. Everything else gets merged in between > begin & end. > > Does this sound kosher? It works in the technical sense. If only > firewalld existed in RHEL < 7. > > - James > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
