this post was submitted on 10 Apr 2025

27 points (96.6% liked)

Selfhosted

45966 readers

897 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Ansible iptables best practices? (sh.itjust.works)

submitted 1 week ago* (last edited 1 week ago) by someacnt@sh.itjust.works to c/selfhosted@lemmy.world

19 comments fedilink hide all child comments

I am currently looking into ansibles to store my configurations and deploy services more easily.

I have couple of iptable rules in /etc/iptables/rules.v4, which I can easily restore. Meanwhile, ansible has iptable role for configurations - hence, I am confused on what approach to take.

How do I persist this rules, especially across reboots? Should I rerun ansible every time on each reboot? I am at loss on how to best manage iptables, as other services can interact with it. How do you folks handle this? Thanks in advance!

top 19 comments

sorted by: hot top controversial new old

[–] aksdb@lemmy.world 5 points 1 week ago* (last edited 1 week ago) (1 children)

Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology.

nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in /etc/nftables.conf, then I have a very simple systemd unit:

[Unit]
Description=Restore nftables firewall rules
Before=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush table inet filter
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

and finally if I push updates via ansible I simply replace the file and run nft -f /etc/nftables.conf (via ansible; on-change event).

Edit: oh and as an example how the actual rules file looks like:

#!/usr/bin/nft -f

add table inet filter
flush table inet filter

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # core services
    tcp dport {80, 443} accept comment "allow http(s)"
    udp dport 443 accept comment "allow http3"

    # everything else
    reject with icmpx type port-unreachable
  }

}

and with that I have my ipv4+6 firewall that allows pings and http

[–] someacnt@sh.itjust.works 1 points 1 week ago

Thanks, but I looked up and learned to prefer the idempotence to be handled by ansible. Ansible support iptables by default, while nftables need a plugin, so iptables it is for me.

[–] amp@sh.itjust.works 4 points 1 week ago

I second the use of nftables instead. Optimally with a pre-made role like this one: https://galaxy.ansible.com/ui/standalone/roles/ipr-cnrs/nftables/documentation/

[–] mhzawadi@lemmy.horwood.cloud 4 points 1 week ago (1 children)

I have used both, can tell you that a template file of /etc/iptables/rules.v4 with iptables-persistent is the easiest way.

if you go the full IaC route and have vars for the rules, remember to get iptables to save its state after you have applied your rules

[–] someacnt@sh.itjust.works 1 points 1 week ago (1 children)

Thank you! Templating rules.v4 is a pretty attractive option. Though my VPS has some portions of the file which should be unmodified, so I would have to avoid this method.

[–] mhzawadi@lemmy.horwood.cloud 2 points 1 week ago (1 children)

That's the point of the template, you change the bits the need change and the bits that are static get templated

[–] someacnt@sh.itjust.works 1 points 6 days ago* (last edited 6 days ago) (1 children)

How do I keep some of the existing firewall rules (which is dependent on host) in the remote file, and change the other parts?

[–] polarity_inverter@startrek.website 1 points 6 days ago (2 children)

You could either copy them to the top of your template, or you could take a look at the blockinfile module

[–] someacnt@sh.itjust.works 1 points 6 days ago

Thanks a lot! I will go with the blockinfile, sounds promising.

[–] mhzawadi@lemmy.horwood.cloud 1 points 6 days ago

The way I have my file, is a load of default stuff. Like block windows ports and allow SSH.

With a for loop that adds stuff for a specific host, like allow http/s for the web server.

[–] irmadlad@lemmy.world 2 points 1 week ago

If I understand you want iptables to be persistent across reboots? Would the following be useful?:

apt-get update -y && apt-get install iptables-persistent -y
service netfilter-persistent save

I have no clue about ansible as I have not explored that region of selfhosting yet. It's on the list tho.

[–] non_burglar@lemmy.world 2 points 1 week ago (1 children)

Generally, you set up a rule + command playbook, where the command invokes the iptables-save command.

[–] DasFaultier@sh.itjust.works 2 points 1 week ago (1 children)

Yeah, ansible.builtin.iptables makes the changes and the task then notifies a handler to invoke iptables-save.

[–] non_burglar@lemmy.world 1 points 1 week ago (1 children)

There's a bunch of posts about the iptables-save function of the built-in iptables module not working in many cases, so I figured it was a safer bet to suggest the playbook include an actual command invocation.

In my personal experience, the module doesnt actually save the persistent rule in about half the cases. I haven't looked into it much, but it seems happen more on systems where systemd iptables-firewall is present. (Not trying to start a flame war)

[–] DasFaultier@sh.itjust.works 1 points 6 days ago

Sorry for being unclear, that's what I meant. Set rules using the Ansible module, make them persistent by notifying a handler that makes a cmd call.

[–] possiblylinux127@lemmy.zip 1 points 1 week ago (1 children)

You want something outside of IPtables like Firewalld. Ansible should only run to make changes to a existing system.

[–] vegetaaaaaaa@lemmy.world 1 points 1 day ago (1 children)

Ansible should only run to make changes to a existing system.

No. Ansible is fine for provisioning and initial deployment.

[–] possiblylinux127@lemmy.zip 1 points 1 day ago* (last edited 1 day ago)

I miss phrased this

My existing system I mean some sort of Linux install. Don't use Ansible to start a service on startup.

[–] ThugLaTaupe@lemmy.world -1 points 1 week ago

For your information, iptables should not be used anymore. It has been deprecated. Nowadays you should use nftables, it's successor made by the same company.