Sunday, November 17, 2013

Configure IPTables with Ansible.

If you need to configure IPTables on the fly using Ansible, this is a really quick way to do it (and requires no extra dependencies). This mechanism relies on the lineinfile module, which allows you to idempotently add/verify/remove lines of text inside a file.  I then use with_items and list all of the protocols and ports I want available on the box.

* Note, this was validated on Ansible 1.4.0.


#
# This is an example Ansible playbook.
#
- hosts: all
  tasks:
    - name: Open the correct IPTables ports
      lineinfile: dest=/etc/sysconfig/iptables
                  regexp="^-A INPUT -p {{item.protocol}} -m {{item.protocol}} --dport {{item.port}} -j ACCEPT$"
                  line="-A INPUT -p {{item.protocol}} -m {{item.protocol}} --dport {{item.port}} -j ACCEPT"
                  insertafter="^:OUTPUT ACCEPT \[\d*:\d*\]$"
      with_items:
        - { protocol: tcp, port: 80 }
        - { protocol: tcp, port: 443 }
        - { protocol: tcp, port: 389 }
        - { protocol: tcp, port: 636 }
        - { protocol: tcp, port: 88 }
        - { protocol: tcp, port: 464 }
        - { protocol: tcp, port: 53 }
        - { protocol: udp, port: 88 }
        - { protocol: udp, port: 464 }
        - { protocol: udp, port: 53 }
        - { protocol: udp, port: 123 }
      notify:
        - restart iptables

  handlers:
      - name: restart iptables
        action: service name=iptables state=restarted

#
This is (admittedly) a very simple example, but you should be able to see the value in the approach and adapt it to more complex scenarios.

Good luck!