iptables module initial stab

Jonathan_Palley · July 5, 2012, 3:30pm

All -
I’ve posted an iptables module here:

https://github.com/brainpage/ansible-library

The module has undergone a certain amount of tests; however, I wanted to solicit any input (API, design) from the community before we modify our playbooks to use this and properly verify the module. We will post a number of examples in a few days.

The module by reading the output of iptables-save, parsing (and saving to /etc/sysconfig/iptables) and then reloading with iptables multi.

The commented description of how to use the module below. Appreciate thoughts!

Thanks -
JP

This is an opinionated iptables module. Opinionated because as long as you

stay within its “opinions” it is idempotent.

It is designed primarily for specific task lists/playbooks to add or remove rules.

You can’t do complex chains and ordering. You CAN make sure ports are open or

closed based on what is running on the server.

Michael_DeHaan · July 5, 2012, 3:33pm

I've always liked the idea of managing iptables from a single template, and then using the save/load functionality, that way you're not stuck with knowing what things happened on a system outside of config management, and things can be 100%
declarative.

Using the new "assemble" module to build iptables configs (available in the core starting with 0.5) from files may also be reasonable.

Jonathan_Palley · July 6, 2012, 2:32am

The problem I was having with one big template - which I suppose is more stylistic then technical - is I wanted to put the iptable rules configuration inline with the software/package setup. i.e. we have a tasks/install_erlang.yml and I want the iptables config for erlang to be in that file. The motivation for this was we have two clusters with different play books but 50% shared task files. I found myself going through the iptables template of one and copying to the other as well as adding new setup tasks into our “shared” tasks repository but then adding the correct iptables rules in each template - rather breaking DRY… and just annoying :).

I would argue the technique above is fundamentally the same as using the “assemble” module: its not generating an iptables but rather just checking whether rules are or are not in a certain place in the config.

Topic		Replies	Views
iptables doesn't persist Ansible Project	4	0	September 4, 2012
iptables_raw Module - Manage Iptables the Easy Way Ansible Project	2	2	July 7, 2016
New iptables module questions Ansible Developer	6	0	May 13, 2015
using assemble to build iptables rules Ansible Project rhel , ubuntu	3	1	November 26, 2013
ufw or iptables module Ansible Project ansible-project	10	0	April 23, 2014