ansible-role-firewall icon indicating copy to clipboard operation
ansible-role-firewall copied to clipboard
verified publisher icon geerlingguy

docker rules are flushed on each run

Open zerr0s opened this issue 5 years ago • 12 comments

Hello, forgive me for my bad english.

First, special thanks for your ansible roles. I use them everyday in my pipelines for all servers (dev, prod, etc.). I'm trying this role to manage iptables rules over a ci/cd pipeline. On each run, all rules are removed on all servers and new rules are applied.

My servers have docker installed and all iptables rules added by docker are flushed and docker needs to be restarted.

Is there a way to apply new rules dynamically ?

Thanks.

zerr0s avatar Dec 09 '20 07:12 zerr0s

This role has an option "firewall_flush_rules_and_chains:" But I found a bug where the rules are flushed anyway https://github.com/geerlingguy/ansible-role-firewall/issues/80

Therefore, I made a correction, and added options firewall_flush_rules_input: firewall_flush_rules_output: firewall_flush_rules_forward: And excluded "iptables -F" from the service start template

To use Docker you need to add firewall_flush_rules_forward: false since docker adds its rules to the forward chain

you can use this role with my fixes https://github.com/alexeychusta/ansible-firewall

alexeychusta avatar Dec 09 '20 13:12 alexeychusta

Hello. Thanks, i'll try it asap.

zerr0s avatar Dec 13 '20 11:12 zerr0s

I will likely be revamping this role a little bit to allow something similar, as this has bitten me in the past as well with Docker and this role side-by-side.

geerlingguy avatar Dec 15 '20 20:12 geerlingguy

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

stale[bot] avatar Mar 15 '21 21:03 stale[bot]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

stale[bot] avatar Apr 15 '21 05:04 stale[bot]

This issue is no longer marked for closure.

stale[bot] avatar Apr 16 '21 15:04 stale[bot]

This issue is no longer marked for closure.

stale[bot] avatar Apr 16 '21 15:04 stale[bot]

Hey @geerlingguy

since mikegleasonjr/ansible-role-firewall is no longer maintained I will use your role and my first thing I was looking for was the same behaviour with docker since mikegleasonjr/ansible-role-firewall was also flushing existing rules.

So what's the current state? Is there something we can do to make this feature available asap?

renepardon avatar Jul 22 '21 05:07 renepardon

Btw. maybe it helps someone: I restart docker/fail2ban services right after updating the iptable rules so the chains will be recreated from those daemons.

- hosts: all
  become: yes
  become_user: root
  pre_tasks:
    - include: tasks/pre/load_vars.yml
  roles:
    - role: community/firewall
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:

    - name: Restart docker to revert iptables chains
      ansible.builtin.service:
        name: docker
        state: restarted
      when: ansible_facts.services["docker.service"] is defined

    - name: Restart fail2ban to revert iptables chains
      ansible.builtin.service:
        name: fail2ban
        state: restarted
      when: ansible_facts.services["fail2ban.service"] is defined

renepardon avatar Jul 22 '21 07:07 renepardon

PR (for compatibility with docker): https://github.com/geerlingguy/ansible-role-firewall/pull/106

vitabaks avatar Jul 19 '23 19:07 vitabaks