I am currently looking into ansibles to store my configurations and deploy services more easily.
I have couple of iptable rules in /etc/iptables/rules.v4, which I can easily restore. Meanwhile, ansible has iptable role for configurations - hence, I am confused on what approach to take.
How do I persist this rules, especially across reboots? Should I rerun ansible every time on each reboot? I am at loss on how to best manage iptables, as other services can interact with it. How do you folks handle this? Thanks in advance!
- Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology. - nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in - /etc/nftables.conf, then I have a very simple systemd unit:- [Unit] Description=Restore nftables firewall rules Before=network-pre.target [Service] Type=oneshot ExecStart=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush table inet filter RemainAfterExit=yes [Install] WantedBy=multi-user.target- and finally if I push updates via ansible I simply replace the file and run - nft -f /etc/nftables.conf(via ansible; on-change event).- Edit: oh and as an example how the actual rules file looks like: - #!/usr/bin/nft -f add table inet filter flush table inet filter table inet filter { chain input { type filter hook input priority 0; # allow established/related connections ct state {established, related} accept # early drop of invalid connections ct state invalid drop # allow from loopback iifname lo accept # allow icmp ip protocol icmp accept ip6 nexthdr icmpv6 accept # core services tcp dport {80, 443} accept comment "allow http(s)" udp dport 443 accept comment "allow http3" # everything else reject with icmpx type port-unreachable } }- and with that I have my ipv4+6 firewall that allows pings and http - Thanks, but I looked up and learned to prefer the idempotence to be handled by ansible. Ansible support iptables by default, while nftables need a plugin, so iptables it is for me. 
 
- I have used both, can tell you that a template file of - /etc/iptables/rules.v4with- iptables-persistentis the easiest way.- if you go the full IaC route and have vars for the rules, remember to get iptables to save its state after you have applied your rules - Thank you! Templating rules.v4 is a pretty attractive option. Though my VPS has some portions of the file which should be unmodified, so I would have to avoid this method. - That’s the point of the template, you change the bits the need change and the bits that are static get templated - How do I keep some of the existing firewall rules (which is dependent on host) in the remote file, and change the other parts? - You could either copy them to the top of your template, or you could take a look at the blockinfile module - The way I have my file, is a load of default stuff. Like block windows ports and allow SSH. - With a for loop that adds stuff for a specific host, like allow http/s for the web server. 
- Thanks a lot! I will go with the blockinfile, sounds promising. 
 
 
 
 
 
- I second the use of nftables instead. Optimally with a pre-made role like this one: https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/documentation/ 
- Generally, you set up a rule + command playbook, where the command invokes the iptables-save command. - Yeah, - ansible.builtin.iptablesmakes the changes and the task then notifies a handler to invoke- iptables-save.- There’s a bunch of posts about the iptables-save function of the built-in iptables module not working in many cases, so I figured it was a safer bet to suggest the playbook include an actual command invocation. - In my personal experience, the module doesnt actually save the persistent rule in about half the cases. I haven’t looked into it much, but it seems happen more on systems where systemd iptables-firewall is present. (Not trying to start a flame war) - Sorry for being unclear, that’s what I meant. Set rules using the Ansible module, make them persistent by notifying a handler that makes a cmd call. 
 
 
 
- If I understand you want iptables to be persistent across reboots? Would the following be useful?: - apt-get update -y && apt-get install iptables-persistent -y service netfilter-persistent save- I have no clue about ansible as I have not explored that region of selfhosting yet. It’s on the list tho. 
- You want something outside of IPtables like Firewalld. Ansible should only run to make changes to a existing system. - Ansible should only run to make changes to a existing system. - No. Ansible is fine for provisioning and initial deployment. - I miss phrased this - My existing system I mean some sort of Linux install. Don’t use Ansible to start a service on startup. 
 
 
- For your information, iptables should not be used anymore. It has been deprecated. Nowadays you should use nftables, it’s successor made by the same company. 





