So I've been thinking through a clean way to build iptables rules sets
with some re-use between debian/ubuntu/redhat/centos world, and this
is the strategy I've come up with in pseudo code:
in a common bootstrap role:
create /etc/syconfig/iptables.d
in a debian/ubuntu bootstrap role:
install iptables-persist, disable ufw
In any of your application roles, have a template or file with contents like:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4369 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6000:7999 -j ACCEPT
that gets dropped into /etc/sysconfig/iptables.d
In a "chinstrap" role (runs after all other roles), use the assemble
module to sum everything in /etc/sysconfig/iptables.d/ together and
place it in /etc/sysconfig/iptables (RedHat) or /etc/iptables/v4.rules
(Ubuntu), and notify a handler to restart iptables if the assembled
file has changed.
The tricky part was the ordering, but that seems ok -- the chinstrap
role creates a segment named 0000-begin that contains all the
necessary beginning entries for the iptables config, and zzzz-end that
contains the ending bits. Everything else gets merged in between
begin & end.
Does this sound kosher? It works in the technical sense. If only
firewalld existed in RHEL < 7.
- James