Getting Started with Ansible 12 - Managing Services

Originally published at: Getting Started with Ansible 12 – Managing Services – LearnLinuxTV

Ansible is an incredible configuration management and provisioning utility that enables you to automate all the things. In this series, you’ll learn everything you need to know in order to use Ansible for your day-to-day administration duties. Subscribe to LearnLinuxTV site.yml (text in bold has been added since the previous version) — - hosts: all…

1 Like

Hi, I posted in the topic for the next episode as well as I’m just going through this series. I have a question in case someone knows how to handle this, it’s regarding managing ufw to setup some rules to allow ports for ssh, http and https.

It seems there’s a community module for ufw but I’m not really sure how to install it and whether or not is good practice to use additional modules when writing playbooks that are meant to be shared with others. This is not really the case for me, but I’d like to be able to run this playbook from different machines and installing modules might make things more difficult. Any thoughts on this?

As for creating the rules I saw there’s a built-in iptables module that I could use instead. Unfortunately I’m not very well versed on iptables. I was hoping someone here could help with this as well. I thought I could manually setup ufw and then use the rules it generated but I’m not sure if this would be a good idea?

Thanks!

EDIT 2:

I managed to solve this one using the iptables module. Turns out for a simple configuration update this was very easy to do after reading through the documentation. This is what I’m trying to emulate:

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https

And I manage to do this with the following tasks. Note that I’m running Ansible 2.9 so I have to specify the destination ports individually, but latest version supports passing in a list of ports. Also, the order is very important in this case because the tasks are run in order so the last one is where I overwrite the policy to drop incoming connections.

- name: Allow connections to SSH
  ansible.builtin.iptables:
    chain: INPUT
    protocol: tcp
    destination_port: "22"
    jump: ACCEPT

- name: Allow connections to HTTP
  ansible.builtin.iptables:
    chain: INPUT
    protocol: tcp
    destination_port: "80"
    jump: ACCEPT

- name: Allow connections to HTTPS
  ansible.builtin.iptables:
    chain: INPUT
    protocol: tcp
    destination_port: "443"
    jump: ACCEPT

- name: Set default outgoing policy
  iptables:
    chain: OUTPUT
    policy: ACCEPT

- name: Set default incoming policy
  iptables:
    chain: INPUT
    policy: DROP

I’m still curious however about using community modules if anyone can share their experience with using them. Either way hope this helps and please let me know if you see anything to improve with it.

Thank you!