Comment on Ansible iptables best practices?
aksdb@lemmy.world 1 week ago
Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology.
nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in /etc/nftables.conf, then I have a very simple systemd unit:
[Unit] Description=Restore nftables firewall rules Before=network-pre.target [Service] Type=oneshot ExecStart=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush table inet filter RemainAfterExit=yes [Install] WantedBy=multi-user.target
and finally if I push updates via ansible I simply replace the file and run nft -f /etc/nftables.conf (via ansible; on-change event).
someacnt@sh.itjust.works 1 week ago
Thanks, but I looked up and learned to prefer the idempotence to be handled by ansible. Ansible support iptables by default, while nftables need a plugin, so iptables it is for me.