"CentOS has /etc/sysconfig/iptables if I knew iptables. " Learning iptables config is not hard actually, nor is templating it.
It can be used for very complex things ( http://www.ex-parrot.com/pete/upside-down-ternet.html) but simple accept/deny rules are straightforward You just write the iptables config file and then have to do /sbin/service iptables restart to make it "apply" Google "manage iptables" and you should be able to find some good examples. I can't say I have any specific tutorials or references that I like, but others may have some good ones. So anyway, hopefully at least good for some encouragement! On Thu, Dec 11, 2014 at 9:41 PM, David Reagan <[email protected]> wrote: > > So, to resurrect an old topic... And remind myself why I like having a > hardware firewall covering my behind... > > I've about figured out how to use the UFW module correctly. Which makes me > happy. > > Unfortunately, I have to administer SLES and CentOS vm's as well. I was > going to use the firewalld module, but then I couldn't find a firewalld > package in the repos to install... > > That leaves me kind of hanging... > > CentOS has /etc/sysconfig/iptables if I knew iptables. > > Not sure if SLES has a decent command line interface I could use... It > does use a GUI tool, and force me to install a GUI on the server, so I > might just run them manually... > > Anyway, apologies for the rambling, it's the end of the day for me. Here > are my questions: > > Has anyone looked at creating an iptables module that would just work on > all OS's that have Python and iptables? Maybe make the most common stuff > easy, and then have a way for people to input a full iptables command? So, > for people running simple stuff, like me, could make a task like > > iptables: ports="22,2222" proto="tcp,udp" allowed_from="10.0.0.0/8" > allowed_to="everywhere" > > More complicated stuff could be: > > iptables: command="stuff that is currently gibberish to me" > > > Micheal, you mentioned a config file, which one were you talking about? > > > Is there a way to install firewalld that my google-fu missed? Or even ufw? > > > Is there a really good introduction to iptables that you would recommend? > Since the obvious route to solve my problem is to suck it up and learn > iptables... > > > Thanks! > > --David Reagan > > On Tue, Oct 8, 2013 at 8:09 AM, Michael DeHaan <[email protected]> > wrote: > >> Generally speaking, I like to do the following with iptables >> >> {% if 'webservers' in group_names %} >> section of iptables config for webservers >> {% endif %} >> >> And just template the config file, and set up a notify to reload iptables >> when it changes. >> >> I should also point out there is a firewalld module in the devel branch >> now too. >> >> >> On Tue, Oct 8, 2013 at 9:15 AM, Guillaume Subiron <[email protected]> >> wrote: >> >>> I also think shorewall is a good way to deploy firewall configuration >>> using ansible. >>> >>> I tried to use iptables-persitent, but shorewall allows to split the >>> rules in many files. Using run-parts in /etc/shorewall/rules, you can >>> put any file in rules.d/. >>> >>> So in my "common" playbook, I only deploy common rules (close >>> everything by default, allow ping and ssh). Then, each roles can add >>> some rules. The "webserver" role, for instance, adds a rule file to >>> open HTTP and HTTP ports. >>> >>> You just have to pay attention to the order in which the files will be >>> executed. >>> >>> Le 13/10/08 14:43, Kahlil Hodgson claviotta : >>> > I'm using shorewall for all my VMs. It's kinda overkill for a single >>> > nic, but I find it works quite well with ansible. >>> > The configuration for VMs with a single nic is very basic. >>> > >>> > The files >>> > >>> > shorewall.conf (1 one setting changed from default) >>> > policy (3 lines) >>> > zones (2 lines) >>> > interfaces (1 line) >>> > >>> > are somewhat trivial and identical across all VMs. >>> > >>> > The >>> > >>> > rules (3 - 10 lines) >>> > >>> > file is where the ingress and egress filtering is controlled and is >>> > easily templated. >>> > >>> > I also 'chain' handlers as follows to ensure modifications don't leave >>> > iptables in a bad state: >>> > >>> > tasks: >>> > .... >>> > >>> > notify: check shorewall >>> > >>> > .... >>> > >>> > handlers: >>> > >>> > - name: check shorewall >>> > command: /sbin/shorewall check >>> > notify: restart shorewall >>> > >>> > - name: restart shorewall >>> > action: service name=shorewall state=restarted >>> > >>> > I'm happy to provide some initial content to get you started. >>> > >>> > Cheers, >>> > >>> > K >>> > >>> > Kahlil (Kal) Hodgson GPG: C9A02289 >>> > Head of Technology (m) +61 (0) 4 2573 0382 >>> > DealMax Pty Ltd (w) +61 (0) 3 9008 5281 >>> > >>> > Suite 1415 >>> > 401 Docklands Drive >>> > Docklands VIC 3008 Australia >>> > >>> > "All parts should go together without forcing. You must remember that >>> > the parts you are reassembling were disassembled by you. Therefore, >>> > if you can't get them together again, there must be a reason. By all >>> > means, do not use a hammer." -- IBM maintenance manual, 1925 >>> > >>> > >>> > >>> > On Tue, Oct 8, 2013 at 1:49 PM, David Reagan <[email protected]> wrote: >>> > > Yes, the firewall also manages internal DMZ's. We are protected >>> quite well, >>> > > adding the firewall to the VM's on our network is just on extra step >>> to be >>> > > as secure as possible. >>> > > >>> > > I do have a few VM's outside the main firewall, on those I'm >>> currently using >>> > > ufw. >>> > > >>> > > So the main point of my post was just to get a general idea of how >>> others >>> > > are managing firewalls with Ansible. >>> > > >>> > > --David Reagan >>> > > >>> > > >>> > > On Mon, Oct 7, 2013 at 5:38 PM, Luke Tislow <[email protected]> >>> wrote: >>> > >> >>> > >> I'd say whatever your external rules are will cover that, the rest >>> of the >>> > >> requirements should be on your internal side. >>> > >> >>> > >> Do you manage your internal networks and adjust firewalls? >>> > >> >>> > >> -luke >>> > >> >>> > >> On Oct 7, 2013 7:10 PM, "David Reagan" <[email protected]> wrote: >>> > >>> >>> > >>> So far I've found a few tools that let me manage linux firewalls. >>> > >>> >>> > >>> iptables >>> > >>> ufw >>> > >>> shorewall >>> > >>> ferm >>> > >>> >>> > >>> I'm not skilled with any of them, and ufw is the only one I've >>> really >>> > >>> used. I know enough to block everything but the ports I actually >>> use. I'm a >>> > >>> bit fuzzy on firewalls because we have a very good hardware >>> firewall in >>> > >>> place that I don't manage. Adding firewalls to each VM is me being >>> extra >>> > >>> careful. >>> > >>> >>> > >>> Both iptables and ufw appear to operate by running commands on the >>> > >>> command line. So I could do that via the command or shell module. >>> That means >>> > >>> I'd end up running the firewall commands every time I run my >>> Ansible >>> > >>> playbooks. And I think I'd end up restarting the firewall every >>> time as >>> > >>> well. >>> > >>> >>> > >>> Both of those things don't seem like good things to do. Am I right >>> in >>> > >>> that? Or would it be perfectly fine to run the commands and >>> restart the >>> > >>> firewall every time I run Ansible? >>> > >>> >>> > >>> Shorewall and ferm appear to use config files to set the rules, >>> then they >>> > >>> run the iptables commands for you from them. At least I think >>> that's how >>> > >>> they work. That would let me use templates for the config file. I >>> like that. >>> > >>> But I don't like how complicated the files are. Both projects >>> documentation >>> > >>> is kind of hard to figure out where to start. >>> > >>> >>> > >>> I did fine the start of a ufw module >>> > >>> ( >>> https://groups.google.com/d/topic/ansible-project/I1Vd3oPBfFw/discussion >>> ), >>> > >>> but it doesn't look like it's going anywhere. >>> > >>> >>> > >>> What other options are there? What do you do? >>> > >>> >>> > >>> -- >>> > >>> You received this message because you are subscribed to the Google >>> Groups >>> > >>> "Ansible Project" group. >>> > >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >>> > >>> email to [email protected]. >>> > >>> >>> > >>> For more options, visit https://groups.google.com/groups/opt_out. >>> > >> >>> > >> -- >>> > >> You received this message because you are subscribed to a topic in >>> the >>> > >> Google Groups "Ansible Project" group. >>> > >> To unsubscribe from this topic, visit >>> > >> >>> https://groups.google.com/d/topic/ansible-project/rkavS1H6AtA/unsubscribe >>> . >>> > >> To unsubscribe from this group and all its topics, send an email to >>> > >> [email protected]. >>> > >> >>> > >> For more options, visit https://groups.google.com/groups/opt_out. >>> > > >>> > > >>> > > -- >>> > > You received this message because you are subscribed to the Google >>> Groups >>> > > "Ansible Project" group. >>> > > To unsubscribe from this group and stop receiving emails from it, >>> send an >>> > > email to [email protected]. >>> > > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> Guillaume Subiron >>> Mail - [email protected] >>> GPG - C7C4 455C >>> Jabber - [email protected] >>> IRC - maethor@(freenode|geeknode) >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> >> -- >> Michael DeHaan <[email protected]> >> CTO, AnsibleWorks, Inc. >> http://www.ansibleworks.com/ >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Project" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ansible-project/rkavS1H6AtA/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CANo%2B_AcnGwEadHJG52eW%2BBkwgGhF%2B4B3%2Bxno%3D5GCgKp0j_S1sg%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CANo%2B_AcnGwEadHJG52eW%2BBkwgGhF%2B4B3%2Bxno%3D5GCgKp0j_S1sg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzXbBt_KqE0ECE51m5U-178ineNX0q81%3DV41FwzEkujCw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
