docker rules are flushed on each run

[zerr0s]

Hello, forgive me for my bad english.

First, special thanks for your ansible roles. I use them everyday in my pipelines for all servers (dev, prod, etc.).
I'm trying this role to manage iptables rules over a ci/cd pipeline. On each run, all rules are removed on all servers and new rules are applied.

My servers have docker installed and all iptables rules added by docker are flushed and docker needs to be restarted.

Is there a way to apply new rules dynamically ?

Thanks.

[alexeychusta]

This role has an option "firewall_flush_rules_and_chains:"
But I found a bug where the rules are flushed anyway
#80

Therefore, I made a correction, and added options
firewall_flush_rules_input:
firewall_flush_rules_output:
firewall_flush_rules_forward:
And excluded "iptables -F" from the service start template

To use Docker you need to add
firewall_flush_rules_forward: false
since docker adds its rules to the forward chain

you can use this role with my fixes https://github.com/alexeychusta/ansible-firewall

[zerr0s]

Hello. Thanks, i'll try it asap.

[geerlingguy]

I will likely be revamping this role a little bit to allow something similar, as this has bitten me in the past as well with Docker and this role side-by-side.

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[stale]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

[stale]

This issue is no longer marked for closure.

[stale]

This issue is no longer marked for closure.

[renepardon]

Hey @geerlingguy

since mikegleasonjr/ansible-role-firewall is no longer maintained I will use your role and my first thing I was looking for was the same behaviour with docker since mikegleasonjr/ansible-role-firewall was also flushing existing rules.

So what's the current state? Is there something we can do to make this feature available asap?

[renepardon]

Btw. maybe it helps someone:
I restart docker/fail2ban services right after updating the iptable rules so the chains will be recreated from those daemons.

- hosts: all
  become: yes
  become_user: root
  pre_tasks:
    - include: tasks/pre/load_vars.yml
  roles:
    - role: community/firewall
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:

    - name: Restart docker to revert iptables chains
      ansible.builtin.service:
        name: docker
        state: restarted
      when: ansible_facts.services["docker.service"] is defined

    - name: Restart fail2ban to revert iptables chains
      ansible.builtin.service:
        name: fail2ban
        state: restarted
      when: ansible_facts.services["fail2ban.service"] is defined

[vitabaks]

PR (for compatibility with docker): #106

[hth2]

thanks @renepardon for the hint.

I did the following to restart docker and fail2ban when firewall is restarted:

• change handler restart firewall:

---
- name: restart firewall
  service: name=firewall state=restarted
  register: reg_firewall_restarted

• playbook:

  roles:
    - role: geerlingguy.firewall

  post_tasks:
  - meta: flush_handlers

  - name: Populate service facts
    ansible.builtin.service_facts:

  - name: Restart docker to revert iptables chains
    ansible.builtin.service:
      name: docker
      state: restarted
    when: ansible_facts.services["docker.service"] is defined and reg_firewall_restarted is defined

  - name: Restart fail2ban to revert iptables chains
    ansible.builtin.service:
      name: fail2ban
      state: restarted
    when: ansible_facts.services["fail2ban.service"] is defined and reg_firewall_restarted is defined

I want to avoid making change to the handler, but don't know a better way