I’m trying to get iptables https://github.com/brainpage/ansible-library running, and while an individual rule seems to work OK, specifying multiple ones seems to “forget” the previous changes.
E.g., if I run:
tasks:
- name: iptables allow $item
action: iptables chain=INPUT tdport=$item mstate=NEW,ESTABLISHED
with_items:
- ssh
- http
- https
- name: iptables policy $item
action: iptables policy=$item target=DROP
with_items:
- INPUT
- FORWARD
- OUTPUT
Then the only visible effect after running the playbook will be the OUTPUT having a DROP policy. If I inspect it during the run however (with ipchains -L), I can see each one taking effect in turn, but they don’t persist.
Any ideas? I raised https://github.com/brainpage/ansible-library/issues/1 .
Whenever I manage iptables, I've always been a fan of just templating the whole config file, running the service load command, and keeping it simple.
Why that modules is acting weird is probably a question for Jonathan, since he wrote it, and it's not in core (mostly for those reasons above). Of course,
that can work for some people too.
I think managing iptables a line at a time, because chain order really really matters -- is probably not a good idea for most people -- the config file depends
too much on context.
It is seductive to let lots of different modules contribute iptables rules to a conf.d file though, run 'assemble' on it, and then use that as your iptables config.
Ansible COULD do that, but if you know exactly what you want the config to be, I'd just push the config file and load it.
Hope that helps...
--Michael
OK, will go that way. I like the “keep it simple” theme here 
Thanks again,
Mark -
The motivation (and my use case) for that module is that I have lots of different services that require opening various ports (mostly tcp) and many servers are running a different combination of services. I liked having all of the “setup” code for each service (install/configs/monit/iptables/etc.) in one task file. Unlike Michael, after about twenty if-thens in an iptables template, I just found that method too unwieldy for my taste.
I setup up a base iptables template with the more complex rules and then use that module for simple additions. If you only have a simple iptables setup (or disagree with me:)) then certainly use a template. Otherwise, it works for me on CentOS6. Feel free to send me an email if you want to debug and I’ll give you my Skype.
W dniu niedziela, 2 września 2012 17:01:45 UTC+2 użytkownik Jonathan Palley napisał:
Mark -
The motivation (and my use case) for that module is that I have lots of different services that require opening various ports (mostly tcp) and many servers are running a different combination of services. I liked having all of the “setup” code for each service (install/configs/monit/iptables/etc.) in one task file. Unlike Michael, after about twenty if-thens in an iptables template, I just found that method too unwieldy for my taste.
I setup up a base iptables template with the more complex rules and then use that module for simple additions. If you only have a simple iptables setup (or disagree with me:)) then certainly use a template. Otherwise, it works for me on CentOS6. Feel free to send me an email if you want to debug and I’ll give you my Skype.
At the risk of getting substantially off topic, there’s some middle ground with tools like ferm[1], that have easily templateable config files which can be split into multiple files. IMHO, ferm is particularly nice because it doesn’t force anything about your firewall rules (it’s essentially a preprocessor). So, setting up a service would require dropping a firewall config snippet into a directory and reloading the ferm service.
Best regards,
Grzegorz Nosek
- http://ferm.foo-projects.org/