I’ve generally only needed to open up very specific ports on my hosts, nothing very complicated. For that I’ve used snippets like:
- name: ensure PostgreSQL main port is open
shell: iptables -D INPUT -p tcp --dport 5432 -j ACCEPT; iptables -I INPUT -p tcp --dport 5432 -j ACCEPT && iptables-save
It’s kinda clumsy since you have to drop the rule first so they don’t pile up. I’d love an iptables module that’d make this more elegant. For my needs it needn’t be very complex.