"CentOS has /etc/sysconfig/iptables if I knew iptables. " Learning iptables config is not hard actually, nor is templating it.
It can be used for very complex things ( http://www.ex-parrot.com/pete/upside-down-ternet.html) but simple accept/deny rules are straightforward You just write the iptables config file and then have to do /sbin/service iptables restart to make it "apply" Google "manage iptables" and you should be able to find some good examples. I can't say I have any specific tutorials or references that I like, but others may have some good ones. So anyway, hopefully at least good for some encouragement! On Thu, Dec 11, 2014 at 9:41 PM, David Reagan <jer...@gmail.com> wrote: > > So, to resurrect an old topic... And remind myself why I like having a > hardware firewall covering my behind... > > I've about figured out how to use the UFW module correctly. Which makes me > happy. > > Unfortunately, I have to administer SLES and CentOS vm's as well. I was > going to use the firewalld module, but then I couldn't find a firewalld > package in the repos to install... > > That leaves me kind of hanging... > > CentOS has /etc/sysconfig/iptables if I knew iptables. > > Not sure if SLES has a decent command line interface I could use... It > does use a GUI tool, and force me to install a GUI on the server, so I > might just run them manually... > > Anyway, apologies for the rambling, it's the end of the day for me. Here > are my questions: > > Has anyone looked at creating an iptables module that would just work on > all OS's that have Python and iptables? Maybe make the most common stuff > easy, and then have a way for people to input a full iptables command? So, > for people running simple stuff, like me, could make a task like > > iptables: ports="22,2222" proto="tcp,udp" allowed_from="10.0.0.0/8" > allowed_to="everywhere" > > More complicated stuff could be: > > iptables: command="stuff that is currently gibberish to me" > > > Micheal, you mentioned a config file, which one were you talking about? > > > Is there a way to install firewalld that my google-fu missed? Or even ufw? > > > Is there a really good introduction to iptables that you would recommend? > Since the obvious route to solve my problem is to suck it up and learn > iptables... > > > Thanks! > > --David Reagan > > On Tue, Oct 8, 2013 at 8:09 AM, Michael DeHaan <mich...@ansibleworks.com> > wrote: > >> Generally speaking, I like to do the following with iptables >> >> {% if 'webservers' in group_names %} >> section of iptables config for webservers >> {% endif %} >> >> And just template the config file, and set up a notify to reload iptables >> when it changes. >> >> I should also point out there is a firewalld module in the devel branch >> now too. >> >> >> On Tue, Oct 8, 2013 at 9:15 AM, Guillaume Subiron <maet...@subiron.org> >> wrote: >> >>> I also think shorewall is a good way to deploy firewall configuration >>> using ansible. >>> >>> I tried to use iptables-persitent, but shorewall allows to split the >>> rules in many files. Using run-parts in /etc/shorewall/rules, you can >>> put any file in rules.d/. >>> >>> So in my "common" playbook, I only deploy common rules (close >>> everything by default, allow ping and ssh). Then, each roles can add >>> some rules. The "webserver" role, for instance, adds a rule file to >>> open HTTP and HTTP ports. >>> >>> You just have to pay attention to the order in which the files will be >>> executed. >>> >>> Le 13/10/08 14:43, Kahlil Hodgson claviotta : >>> > I'm using shorewall for all my VMs. It's kinda overkill for a single >>> > nic, but I find it works quite well with ansible. >>> > The configuration for VMs with a single nic is very basic. >>> > >>> > The files >>> > >>> > shorewall.conf (1 one setting changed from default) >>> > policy (3 lines) >>> > zones (2 lines) >>> > interfaces (1 line) >>> > >>> > are somewhat trivial and identical across all VMs. >>> > >>> > The >>> > >>> > rules (3 - 10 lines) >>> > >>> > file is where the ingress and egress filtering is controlled and is >>> > easily templated. >>> > >>> > I also 'chain' handlers as follows to ensure modifications don't leave >>> > iptables in a bad state: >>> > >>> > tasks: >>> > .... >>> > >>> > notify: check shorewall >>> > >>> > .... >>> > >>> > handlers: >>> > >>> > - name: check shorewall >>> > command: /sbin/shorewall check >>> > notify: restart shorewall >>> > >>> > - name: restart shorewall >>> > action: service name=shorewall state=restarted >>> > >>> > I'm happy to provide some initial content to get you started. >>> > >>> > Cheers, >>> > >>> > K >>> > >>> > Kahlil (Kal) Hodgson GPG: C9A02289 >>> > Head of Technology (m) +61 (0) 4 2573 0382 >>> > DealMax Pty Ltd (w) +61 (0) 3 9008 5281 >>> > >>> > Suite 1415 >>> > 401 Docklands Drive >>> > Docklands VIC 3008 Australia >>> > >>> > "All parts should go together without forcing. You must remember that >>> > the parts you are reassembling were disassembled by you. Therefore, >>> > if you can't get them together again, there must be a reason. By all >>> > means, do not use a hammer." -- IBM maintenance manual, 1925 >>> > >>> > >>> > >>> > On Tue, Oct 8, 2013 at 1:49 PM, David Reagan <jer...@gmail.com> wrote: >>> > > Yes, the firewall also manages internal DMZ's. We are protected >>> quite well, >>> > > adding the firewall to the VM's on our network is just on extra step >>> to be >>> > > as secure as possible. >>> > > >>> > > I do have a few VM's outside the main firewall, on those I'm >>> currently using >>> > > ufw. >>> > > >>> > > So the main point of my post was just to get a general idea of how >>> others >>> > > are managing firewalls with Ansible. >>> > > >>> > > --David Reagan >>> > > >>> > > >>> > > On Mon, Oct 7, 2013 at 5:38 PM, Luke Tislow <luke.tis...@linux.com> >>> wrote: >>> > >> >>> > >> I'd say whatever your external rules are will cover that, the rest >>> of the >>> > >> requirements should be on your internal side. >>> > >> >>> > >> Do you manage your internal networks and adjust firewalls? >>> > >> >>> > >> -luke >>> > >> >>> > >> On Oct 7, 2013 7:10 PM, "David Reagan" <jer...@gmail.com> wrote: >>> > >>> >>> > >>> So far I've found a few tools that let me manage linux firewalls. >>> > >>> >>> > >>> iptables >>> > >>> ufw >>> > >>> shorewall >>> > >>> ferm >>> > >>> >>> > >>> I'm not skilled with any of them, and ufw is the only one I've >>> really >>> > >>> used. I know enough to block everything but the ports I actually >>> use. I'm a >>> > >>> bit fuzzy on firewalls because we have a very good hardware >>> firewall in >>> > >>> place that I don't manage. Adding firewalls to each VM is me being >>> extra >>> > >>> careful. >>> > >>> >>> > >>> Both iptables and ufw appear to operate by running commands on the >>> > >>> command line. So I could do that via the command or shell module. >>> That means >>> > >>> I'd end up running the firewall commands every time I run my >>> Ansible >>> > >>> playbooks. And I think I'd end up restarting the firewall every >>> time as >>> > >>> well. >>> > >>> >>> > >>> Both of those things don't seem like good things to do. Am I right >>> in >>> > >>> that? Or would it be perfectly fine to run the commands and >>> restart the >>> > >>> firewall every time I run Ansible? >>> > >>> >>> > >>> Shorewall and ferm appear to use config files to set the rules, >>> then they >>> > >>> run the iptables commands for you from them. At least I think >>> that's how >>> > >>> they work. That would let me use templates for the config file. I >>> like that. >>> > >>> But I don't like how complicated the files are. Both projects >>> documentation >>> > >>> is kind of hard to figure out where to start. >>> > >>> >>> > >>> I did fine the start of a ufw module >>> > >>> ( >>> https://groups.google.com/d/topic/ansible-project/I1Vd3oPBfFw/discussion >>> ), >>> > >>> but it doesn't look like it's going anywhere. >>> > >>> >>> > >>> What other options are there? What do you do? >>> > >>> >>> > >>> -- >>> > >>> You received this message because you are subscribed to the Google >>> Groups >>> > >>> "Ansible Project" group. >>> > >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >>> > >>> email to ansible-project+unsubscr...@googlegroups.com. >>> > >>> >>> > >>> For more options, visit https://groups.google.com/groups/opt_out. >>> > >> >>> > >> -- >>> > >> You received this message because you are subscribed to a topic in >>> the >>> > >> Google Groups "Ansible Project" group. >>> > >> To unsubscribe from this topic, visit >>> > >> >>> https://groups.google.com/d/topic/ansible-project/rkavS1H6AtA/unsubscribe >>> . >>> > >> To unsubscribe from this group and all its topics, send an email to >>> > >> ansible-project+unsubscr...@googlegroups.com. >>> > >> >>> > >> For more options, visit https://groups.google.com/groups/opt_out. >>> > > >>> > > >>> > > -- >>> > > You received this message because you are subscribed to the Google >>> Groups >>> > > "Ansible Project" group. >>> > > To unsubscribe from this group and stop receiving emails from it, >>> send an >>> > > email to ansible-project+unsubscr...@googlegroups.com. >>> > > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to ansible-project+unsubscr...@googlegroups.com. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> Guillaume Subiron >>> Mail - maet...@subiron.org >>> GPG - C7C4 455C >>> Jabber - maet...@im.subiron.org >>> IRC - maethor@(freenode|geeknode) >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ansible-project+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> >> -- >> Michael DeHaan <mich...@ansibleworks.com> >> CTO, AnsibleWorks, Inc. >> http://www.ansibleworks.com/ >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Project" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ansible-project/rkavS1H6AtA/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> ansible-project+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-project+unsubscr...@googlegroups.com. > To post to this group, send email to ansible-project@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CANo%2B_AcnGwEadHJG52eW%2BBkwgGhF%2B4B3%2Bxno%3D5GCgKp0j_S1sg%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CANo%2B_AcnGwEadHJG52eW%2BBkwgGhF%2B4B3%2Bxno%3D5GCgKp0j_S1sg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzXbBt_KqE0ECE51m5U-178ineNX0q81%3DV41FwzEkujCw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
