On Mon, Nov 25, 2013 at 11:04 PM, James Martin <jmar...@basho.com> wrote:
> Does this sound kosher?
Yes it does, this is almost the same approach I've taken. There's a
few gotcha's to be aware of, however.
- iptables has multiple tables (filter, nat, mangle, raw and security,
I believe), "filter" is just the default table. If you're
concatenating your fragments together like this, you're locked into
always using filter for your rules. I solved this by:
* Having per-table begin and end snippets, with the table name
prefixed to the snippet name
* Having per-table snippets with actual rules, again with the table
name prefixed to the snippet name
- iptables and ip6tables have their own iptables-restore and
ip6tables-restore respectively, so you need two sets of snippets, one
for ipv4 and one for ipv6. Although 90% of your rules will probably
look identical, there are subtle nuances so I would stress not to try
and use the same rules-file for iptables and ip6tables.
- fail2ban [1] and other similar tools that add their own chains, have
these chains wiped out when iptables-restore is run. My "firewall
activate" role fires a handler which restarts fail2ban for this
reason.
I wrote a small module [2] to help with making snippets in other roles
though, as using template or copy for it felt like exposing too much
implementation detail. I still supply the rule in a "raw" form, but
allow the module to abstract away a few things. This way I can just
set present/absent on it, specify the iptables version (4 or 6) as
well as the table (with a default of "filter"). In playbooks, it looks
like this:
- name: Open up firewall ports 80 and 443
iptables:
state: present
ipversion: "{{ item.version }}"
name: "{{ item.name }}"
rules: "{{ item.rules }}"
with_items:
- name: 50_nginx
version: 4
rules: |
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
- name: 50_nginx
version: 6
rules: |
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
when: nginx_firewall_integration|default(False)
Since in this case (usually it will be this way, but not always) the
rules for 4 and 6 are identical, it can also be condensed to:
- name: Open up firewall ports 80 and 443
iptables:
state: present
ipversion: "{{ item }}"
name: 50_nginx
rules: |
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
with_items: [4,6]
when: nginx_firewall_integration|default(False)
[1]: http://www.fail2ban.org
[2]: https://gist.github.com/zoni/7655561
--
Nick Groenen | zoni | @NickGroenen
https://zoni.nl | GnuPG/GPG key ID: 0xAB5382F6
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
