Adding iptables Rules With Ansible

16th February 2014 - 4 minutes read time

Note: This post is over a year old and so the information contained here might be out of date. If you do spot something please leave a comment and we will endeavour to correct.

Many systems and applications require certain access to certain ports and protocols. When installing these systems using Ansible it is necessary to also open up the needed ports so that the systems can function correctly. As there is no iptables module in Ansible the shell command is needed to add the iptables rules.

As an example, here is a task that adds a iptables rule to allow Apache to communicate on port 80.

- name: Apache | add apache iptable rule
  command: /sbin/iptables -I INPUT 1 -p tcp --dport http -j ACCEPT -m comment --comment "Apache"
  sudo: true

Once this is in place you might need to save and/or restart iptables in order to get the rule to be permanently saved. The following two rules will save the iptables rule and restart the iptables service. Note that these commands are specific to Ubuntu and so might not work on your system setup.

- name: save iptables
  command: iptables-save
  sudo: true

- name: restart iptables
  service: name=ufw state=restarted
  sudo: true

This allows Apache to communicate, but the trouble is that when the Ansible task is run a second time a second iptables rule will be added. This can cause problems, especially when Ansible is run over and over again to maintain the configuration of the server. For this reason another step must be added to detect for the existence of the rule before it is added. This is done by using the shell module to print the available iptables rules out and store them into a variable. The Ansible keyword 'register' allows any returned value from the current task to be saved as a variable, in this case the variable registered is called 'iptablesrules'.

- name: Apache | get iptables rules
  shell: iptables -L
  register: iptablesrules
  sudo: true

With this in place we can now run the iptables insertion command only when we cannot find a rule that matches the one that we want to add. The find function is run on the iptablesrules.stdout parameter to find the word "Apache" within the contents. This matches the comment that was used in the iptables rule creation. and Here is the modified task.

- name: Apache | add apache iptable rule
  command: /sbin/iptables -I INPUT 1 -p tcp --dport http -j ACCEPT -m comment --comment "Apache"
  sudo: true
  when: iptablesrules.stdout.find("Apache") == -1

The only problem now is that when checking that an Ansible playbook will execute as expected (by using the --check flag) the added conditional will fail. This is because the iptablesrules variable that is generated is not done in this case and so Ansible will error and complain about a missing variable. The way around this it to force the iptables rules variable registry task to always run, even if we are in check mode. To do this we add the always_run flag to the task.

- name: Apache | get iptables rules
  shell: iptables -L
  register: iptablesrules
  always_run: yes
  sudo: true

Here is the entire playbook in full. Note that it is better practice to use create the iptables save and restart tasks as handlers and notify them from the needed tasks. This allows them to be reused when generating iptables rules for other services.

---
- name: Apache | get iptables rules
  shell: iptables -L
  register: iptablesrules
  always_run: yes
  sudo: true

- name: Apache | add apache iptable rule
  command: /sbin/iptables -I INPUT 1 -p tcp --dport http -j ACCEPT -m comment --comment "Apache"
  sudo: true
  when: iptablesrules.stdout.find("Apache") == -1

- name: save iptables
  command: iptables-save
  sudo: true

- name: restart iptables
  service: name= ufw state=restarted
  sudo: true

Comments

Permalink

Great! now there is a module to handle that http://docs.ansible.com/ufw_module.html

Permalink

It's also worth taking a look at Ferm[1] for managing iptables configuration. It remains a less than perfect solution, but It is possible to add firewall rules with each role. See http://wiki.gema-soft.de/doku.php?id=it-administration:tools:ansible:fe… for an example Ansible Ferm setup. [1] http://ferm.foo-projects.org/

Permalink

Great playbook, thanks for sharing. I just added

changed_when: false

to the "get iptables rules" task so that it does not report as changed when running the playbook.

- name: Apache | get iptables rules
  shell: iptables -L
  register: iptablesrules
  always_run: yes
  changed_when: false  # Never report as changed
  sudo: true

Permalink

I created a role to ease the process of using iptables with Ansible, check it out: https://github.com/mikegleasonjr/ansible-role-firewallThank you

Permalink

iptables-save doesn't save the iptables...

Permalink

Another way to do it... -name: Save iptables rules command: /sbin/service iptables save sudo: True

Add new comment

Related Content

Turn Off Fn Mode In Ubuntu Linux

I was typing on my Keychron K2 keyboard today and realised that I hadn't used the function keys at all. Not that I hadn't tried a few times, it's just that the function keys were linked to the media keys for the laptop I was using.

Repointing A Symlink To A Different Location

Creating a symlink is a common way of ensuring that the directory structure of a deployment will always be the same. For example you might create a symlink so that the release directory of release123/docroot will instead be just current. This is done using the ln command in the following way, the -s flag means that we use the ln (aka link) command to create a symbolic link.

Finding My Most Commonly Used Commands On Linux

I'm a proponent of automation, so when I find myself running the same commands over and over I always look for a way of wrapping that in an alias or script.

I spend a lot of my day to day job in the command line and I realised today that I must have typed 'git status' for the millionth time and wondered what my most commonly used commands were. So I found a stack overflow post showing my most used commands in a nice little bash one liner.

Grep Context

Grep is a really powerful tool for finding things in files. I often use it to scan for plugins in the Drupal codebase or to scan through a CSV or log file for data.

For example, to scan for user centric ViewsFilter plugins in the Drupal core directory use this command (assuming you are relative to the core directory).

grep "@ViewsFilter(\"user" -r core

The -r flag here recursively scans the 'core' directory. This command returns the following output.

Scanning Linux For Intrusion With RKHunter

RKHunter (or Root Kit Hunter) is a program that can be used to scan a Linux machine to see if there is anything there that might be a sign of a security breach. It will scan all of the files on the system and look out for any suspicious files or unexpected changes to system files that might indicate a security breach. Just like anti-virus systems it has a database of root kit definitions that it will use to compare files against to see if they are infected but will also just check for changes to core system files.

Some Useful Curl Snippets

Curl is an incredibly useful tool and has all sorts of flags and options available for every situation. I tend to use curl quite a lot for all kinds of stuff, and not just downloading large files. So I thought I would post a few of the most common things that I use the tool for. Note that most of the following URLs don't really exist, they are just for demo purposes. I have also left out the output of these commands as they vary from a few lines to many pages of output.