Safe way to deploy iptables using ansible

Question

I would like to deploy iptables rules in a "safe" way using ansible where for safe I think at something like the shorewall command safe-restart.

So I'm looking for a workflow like this:

install the new rules;
wait for 30 seconds for a confirmation from the user (or, in our case, from the machine executing the playbook);
if the user confirms then make them permanent, otherwise restore the old rules.

My goal is to avoid losing control of my machines because of a wrong firewall configuration (that may, for example, block SSH).

score 2 · Answer 1 · answered Jun 13 '18 at 22:28

2

That's what iptables-apply does. From its man page on my Debian:

iptables-apply will try to apply a new rulesfile (as output by iptables-save, read by iptables-restore) or run a command to configure iptables and then prompt the user whether the changes are okay. If the new iptables rules cut the existing connection, the user will not be able to answer affirmatively. In this case, the script rolls back to the previous working iptables rules after the timeout expires.

answered Jun 13 '18 at 22:28

Nice, I didn't know about it (I had a script written by me to do that). Any idea on how to integrate it with ansible? – Enrico Polesel Jun 14 '18 at 11:05
@EnricoPolesel No, sorry. I don't know Ansible. – Jun 14 '18 at 11:34

score 2 · Accepted Answer · answered Jun 16 '18 at 12:40

Since ansible is agentless it means it would need to open new connection (or re-use existent if configured properly) to host in order to restore the state.

If on the current step changes to firewall would not allow the next connection to succeed there's no way to recover obviously.

Thus it means you have to put testing-recovery task on the host itself which would try to apply new rules and then wait to see if next step of playbook has been succeeded (typically you need at least SSH accessible, so testing step of playbook could be just killing that script before it restores previous ruleset). It also can do some self-originating testing of course.

Summary: plant a script that would not only apply the rules but also would withdraw them back in case those rules would cause connectivity regression.

Straight-forward approach using iptables-apply:

Run it detached (with screen or tmux or whatever) with new ruleset
Kill it in the following play step before it rolled back firewall to the previous ruleset

score 1 · Answer 3 · answered Jun 16 '18 at 11:19

Find an out of band way to reboot the host. Use a firewall where saving state is optional, such as the firewalld Ansible module. The first time testing the play, run it with permanent: False. If necessary, use the console or reboot the host to get it back. Once proven that works, switch to permanent: True.

One alternative is to temporarily schedule a revert of firewall rules in the future, such as with at. Which also has an Ansible module. I do not like this implementation as much, because the scheduled command is just a shell script, and not a module directly verifying configuration.

Safe way to deploy iptables using ansible

3 Answers3