Ansible iptables best practices?

Submitted ⁨⁨1⁩ ⁨week⁩ ago⁩ by ⁨someacnt@sh.itjust.works⁩ to ⁨selfhosted@lemmy.world⁩

I am currently looking into ansibles to store my configurations and deploy services more easily. I have couple of iptable rules in /etc/iptables/rules.v4, which I can easily restore. Meanwhile, ansible has iptable role for configurations. How do I persist this rules, especially across reboots? Should I rerun ansible every time on each reboot? I am at loss on how to best manage iptables, as other services can interact with it. How do you folks handle this? Thanks in advance!

source

Comments

Sort:hotnew top

amp@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
I second the use of nftables instead. Optimally with a pre-made role like this one: galaxy.ansible.com/ui/…/documentation/

source
aksdb@lemmy.world ⁨1⁩ ⁨week⁩ ago
Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology.

nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in /etc/nftables.conf, then I have a very simple systemd unit:

[Unit] Description=Restore nftables firewall rules Before=network-pre.target [Service] Type=oneshot ExecStart=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush table inet filter RemainAfterExit=yes [Install] WantedBy=multi-user.target

and finally if I push updates via ansible I simply replace the file and run nft -f /etc/nftables.conf (via ansible; on-change event).
source
- someacnt@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
  Thanks, but I looked up and learned to prefer the idempotence to be handled by ansible. Ansible support iptables by default, while nftables need a plugin, so iptables it is for me.
  
  source
possiblylinux127@lemmy.zip ⁨1⁩ ⁨week⁩ ago
You want something outside of IPtables like Firewalld. Ansible should only run to make changes to a existing system.

source
- vegetaaaaaaa@lemmy.world ⁨2⁩ ⁨days⁩ ago
  
  Ansible should only run to make changes to a existing system.
  
  No. Ansible is fine for provisioning and initial deployment.
  
  source
  - possiblylinux127@lemmy.zip ⁨2⁩ ⁨days⁩ ago
    I miss phrased this
    
    My existing system I mean some sort of Linux install. Don’t use Ansible to start a service on startup.
    
    source
irmadlad@lemmy.world ⁨1⁩ ⁨week⁩ ago
If I understand you want iptables to be persistent across reboots? Would the following be useful?:

apt-get update -y && apt-get install iptables-persistent -y service netfilter-persistent save

I have no clue about ansible as I have not explored that region of selfhosting yet. It’s on the list tho.
source
non_burglar@lemmy.world ⁨1⁩ ⁨week⁩ ago
Generally, you set up a rule + command playbook, where the command invokes the iptables-save command.

source
- DasFaultier@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
  Yeah, ansible.builtin.iptables makes the changes and the task then notifies a handler to invoke iptables-save.
  
  source
  - non_burglar@lemmy.world ⁨1⁩ ⁨week⁩ ago
    There’s a bunch of posts about the iptables-save function of the built-in iptables module not working in many cases, so I figured it was a safer bet to suggest the playbook include an actual command invocation.
    
    In my personal experience, the module doesnt actually save the persistent rule in about half the cases. I haven’t looked into it much, but it seems happen more on systems where systemd iptables-firewall is present. (Not trying to start a flame war)
    
    source
    -> View More Comments
ThugLaTaupe@lemmy.world ⁨1⁩ ⁨week⁩ ago
For your information, iptables should not be used anymore. It has been deprecated. Nowadays you should use nftables, it’s successor made by the same company.

source