We wrote a new module called iptables_raw (docs) to make it easy to manage iptables. The module has the following features:
-
use iptables syntax to define rules
-
keep iptables state
-
order rules by weigh
-
support different iptables tables (filter, nat, raw,…)
-
management of unmanaged rules
-
ip6tables
-
safe flushing of table rules
I wrote a blog post which explains how we use this module and how we manage iptables with it. Give it a read, try the module and tell us what you think, feedback would be much appreciated.
Kudos on saving the state and providing locking around that state. As
long as you can ensure that this module is the only thing manipulating
iptables on the hosts you are managing, then there should be no
issues. In the project I work on, we don't have that guarantee, so we
work around it by adding a chain to minimize the possibility of
conflicts with other services managing iptables. It doesn't completely
solve the issue, but it has improved reliability in practice.
The module saves a complete state in /etc/ansible-iptables and we do locking, so it doesn’t matter that much if someone fiddles around the active iptables rules or if they change /etc/sysconfig/iptables file, since the first time this module is called the whole state is recreated from the state file and all rules are restored (and if keep_unmanaged=no all unmanaged/foreign rules are dropped as well).
Of course if someone deletes the state file in /etc/ansible-iptables you would lose all your rules until you run all iptables_raw tasks, but you shouldn’t need to touch that directory ever.