4d ago

Ansible iptables best practices?

I am currently looking into ansibles to store my configurations and deploy services more easily.

I have couple of iptable rules in /etc/iptables/rules.v4, which I can easily restore. Meanwhile, ansible has iptable role for configurations - hence, I am confused on what approach to take.

How do I persist this rules, especially across reboots? Should I rerun ansible every time on each reboot? I am at loss on how to best manage iptables, as other services can interact with it. How do you folks handle this? Thanks in advance!

17 comments

I second the use of nftables instead. Optimally with a pre-made role like this one: https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/documentation/

Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology.
nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in /etc/nftables.conf, then I have a very simple systemd unit:

[Unit] Description=Restore nftables firewall rules Before=network-pre.target [Service] Type=oneshot ExecStart=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush table inet filter RemainAfterExit=yes [Install] WantedBy=multi-user.target
and finally if I push updates via ansible I simply replace the file and run nft -f /etc/nftables.conf (via ansible; on-change event).
Edit: oh and as an example how the actual rules file looks like:

#!/usr/bin/nft -f add table inet filter flush table inet filter table inet filter { chain input { type filter hook input priority 0; # allow established/related connections ct state {established, related} accept # early drop of invalid connections ct state invalid drop # allow from loopback iifname lo accept # allow icmp ip protocol icmp accept ip6 nexthdr icmpv6 accept # core services tcp dport {80, 443} accept comment "allow http(s)" udp dport 443 accept comment "allow http3" # everything else reject with icmpx type port-unreachable } }
and with that I have my ipv4+6 firewall that allows pings and http
- Thanks, but I looked up and learned to prefer the idempotence to be handled by ansible. Ansible support iptables by default, while nftables need a plugin, so iptables it is for me.

You want something outside of IPtables like Firewalld. Ansible should only run to make changes to a existing system.

I have used both, can tell you that a template file of /etc/iptables/rules.v4 with iptables-persistent is the easiest way.
if you go the full IaC route and have vars for the rules, remember to get iptables to save its state after you have applied your rules
- Thank you! Templating rules.v4 is a pretty attractive option. Though my VPS has some portions of the file which should be unmodified, so I would have to avoid this method.
  
  That's the point of the template, you change the bits the need change and the bits that are static get templated

If I understand you want iptables to be persistent across reboots? Would the following be useful?:

apt-get update -y && apt-get install iptables-persistent -y service netfilter-persistent save
I have no clue about ansible as I have not explored that region of selfhosting yet. It's on the list tho.

Generally, you set up a rule + command playbook, where the command invokes the iptables-save command.
- Yeah, ansible.builtin.iptables makes the changes and the task then notifies a handler to invoke iptables-save.
  
  There's a bunch of posts about the iptables-save function of the built-in iptables module not working in many cases, so I figured it was a safer bet to suggest the playbook include an actual command invocation.
  In my personal experience, the module doesnt actually save the persistent rule in about half the cases. I haven't looked into it much, but it seems happen more on systems where systemd iptables-firewall is present. (Not trying to start a flame war)

For your information, iptables should not be used anymore. It has been deprecated. Nowadays you should use nftables, it's successor made by the same company.

17 comments