Automating iptables with Ansible: Part 3


One of the best things about blogging is the comments you get from people around the world. I had a comment on my post about  iptables where someone recommended a different idea. Well, it turns out I like his idea better. In his wiki macbarfuss demonstrates a method that uses  ferm @includes instead of host variables.

You can read it on his page so I’ll just summarize it:

  1. In your base role install ferm, the main ferm conf, and a ferm.d directory to hold ferm fragments.
  2. Each role add its own fragments to the ferm.d directory. The main ferm conf file will include them.

Very simple. No role has to know about another and you can create very complex iptables configurations. The only down side is that you have to give up perfect idempotency. Ansible does not support this pattern (and doesn’t seem likely to in the future) but this is a worthwhile trade.

There are a couple of things I suggest you add to his instructions.

  • In the base role and in the other roles remove all the notify code and handlers. You don’t need it. Its redundant.
  • Add a new role (something like “iptables-end”) and add two plays (no handlers): a) run ferm, save iptables. Add this as the last role to your hosts in site.yml
  • ferm will load your fragments in alphabetical order so you need to use the old Unix trick of numbering your files. For example, name your fragments “100_web_server” or “110_mysql_server”. I use a number plus the role name.
  • Include an end fragment in your base role that has the highest number in your series, e.g. “999_iptables_end”. You may or may not need this. I use this fragment to send blocked packets to the log. This fragment will be loaded last.

My thanks to macbarfuss for this great idea.



Categories: DevOps

Tags: ,

2 replies

  1. If you run debian or ubuntu, you can use this ufw role to manage your firewall rules https://galaxy.ansible.com/list#/roles/298

    Like

  2. This was a really helpful series of posts! I knew there had to be a better way to automate firewall rules than templating an iptables restore file or using ansible’s iptables module; I just didn’t know how until I found your posts.

    I wanted to let you know that the article you’ve linked to seems to be dead. My implementation is currently modeled after the approach you describe in step 2. I think I can transition to this new approach with your comments and the help of my friend google, but you might consider elaborating just a little bit due to the dead link; we can’t see the examples that you are making your suggestions based on.

    But either way, an extremely helpful series of posts. Hats off to you for your help and insight!

    Tim

    Like

Share Your Ideas

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: