Hi All,
I hope you can help me with this problem.
There are 50 different servers, each of them has different iptables firewall and rules. I want them to be managed by Ansible. My idea is to create a csv file, like this:
hostname/ip, iptablesrule
testmachine05, iptables -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7
testmachine01, iptables -A INPUT -p tcp --dport 80 -j ACCEPT
testmachine10, iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
I would use iptables_raw module to apply the rules. (http://blog.nordeus.com/files/libraryblog/articles/managing-iptables-with-ansible/iptables_raw.html)
For example:
Hi All,
I hope you can help me with this problem.
There are 50 different servers, each of them has different iptables
firewall and rules. I want them to be managed by Ansible. My idea is to
create a csv file, like this:
I highly recommend against a csv file if you can choose.
Make a variable/variable files is a lot easier to deal with.
hostname/ip, iptablesrule
testmachine05, iptables -A LOGNDROP -p udp -m limit --limit 5/min -j LOG
--log-prefix "Denied UDP: " --log-level 7
testmachine01, iptables -A INPUT -p tcp --dport 80 -j ACCEPT
testmachine10, iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
I would use iptables_raw module to apply the rules. (
http://blog.nordeus.com/files/libraryblog/articles/managing-iptables-with-ansible/iptables_raw.html
)
For example:
---
- hosts: all << change this with variable from csv first column
(e.g. testmachin05, testmachin 10, etc.)
tasks:
- iptables_raw:
name=allow_tcp_80
rules='-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT' << change this with
variable from csv from secound column
In order to make the process of rule addition easier, is it possible to:
have Ansible run through the csv file and collect its' content into
variables?
Something like this is a better alternative IMHO.
Have a look at
https://galaxy.ansible.com/detail#/role/5878
(https://github.com/mikegleasonjr/ansible-role-firewall)
I used this in my setup. Basically you setup three different lists,
one for the default rules (each server has port 22 open), the group
rules (each server in 'webservers' needs 80 and 443) and host rules
(this server also needs this and that port).
The rules get loaded so that more specific rules can (but do not have
to) overwrite more general rules, but rather get merged.
Johannes
Hi!
Thanks for the advice, I like it. But, I have a syntax error with this:
In this case, I have to update a lot of file, because there are a lot of different rule on each servers.
But, I have another project, where I will use this solution.
Thanks!
- január 18., szerda 11:04:37 UTC+1 időpontban Johannes Kastl a következőt írta:
If your existing files have valid iptables syntax, then this
conversion should be scriptable...
Johannes
The indentation is wrong, the dash should be indented as tasks is:
- hosts: all
tasks:
- iptables_raw:
https://docs.ansible.com/ansible/playbooks_intro.html#playbook-language-example
That's not correct, both of them works in Ansible.
This message to appear if the module iptables_raw is not installed.
Since iptables_raw is not part of Ansible I quess the user hasn't installed it.
That's not correct, both of them works in Ansible.
I found no mention of this syntax when fast-reading the docs. So: Good
to know.
This message to appear if the module iptables_raw is not installed.
Since iptables_raw is not part of Ansible I quess the user hasn't
installed it.
Too bad ansible does not throw a useful error...
Johannes
This is the right answer, thanks. The module was in a wrong folder. Now everything is OK.
Thanks for everyone.
- január 20., péntek 16:26:58 UTC+1 időpontban Kai Stian Olstad a következőt írta: