iptables, new chains, marking

Marc_Singer · September 21, 2019, 12:53am

Greetings,

I’m working to reimplement an existing firewall using the iptables module. I’m not seeing a command to create (or make to exist) a chain. Seems like this would be a relatively normal thing to do. Of course, I can create it elsewise since it only needs to be done once. Still, is there harm in it?

I also don’t see commands to handle marking. The match option is present, but I also need the ctorigdst/ctorigsrc and other options.

So, is the best way to work around this to simply issue the commands with “command”?

Cheers

vbotka · September 21, 2019, 3:42am

Yes. In fact, that's what iptable module recommends:

"This module just deals with individual rules.If you need advanced chaining
of rules the recommended way is to template the iptables restore file."
https://docs.ansible.com/ansible/latest/modules/iptables_module.html#notes

For example 1) create a template and 2) restore the iptables with a handler

  - template:
      src: "iptables.j2"
      dest: "/etc/network/iptables"
      owner: "root"
      group: "root"
      mode: "0644"
    notify: reload iptables

- name: reload iptables
shell: "/sbin/iptables-restore < /etc/network/iptables"

The next option would be ufw
https://docs.ansible.com/ansible/latest/modules/ufw_module.html

Cheers,

-vlado

Topic		Replies	Views
ufw or iptables module Ansible Project ansible-project	10	0	April 23, 2014
ufw or iptables module Ansible Project	7	0	September 15, 2013
Iptables rule --set Get Help playbook	4	73	October 25, 2024
New iptables module questions Ansible Developer	6	0	May 13, 2015
iptables module initial stab Ansible Project	2	0	July 6, 2012

iptables, new chains, marking

Related topics