Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify Ansible UFW Role to Use iptables-save Format #5520

Closed
kayiwa opened this issue Nov 5, 2024 · 1 comment
Closed

Modify Ansible UFW Role to Use iptables-save Format #5520

kayiwa opened this issue Nov 5, 2024 · 1 comment
Assignees
@kayiwa
Labels
bug maintenance

Comments

@kayiwa
Copy link
Member

kayiwa commented Nov 5, 2024
edited
Loading

This issue proposes modifying our Ansible UFW role to manage the firewall configuration using the iptables-save format. This will provide a more robust and flexible way to define and maintain firewall rules.

Rationale:

Currently, the UFW role may rely on the ufw command-line utility to manage rules. While functional, this approach has limitations:

  • Limited expressiveness: The ufw command provides a simplified interface, which can be restrictive when defining complex rules or using advanced features of iptables.
  • Lack of direct control: Managing rules through ufw can be less transparent and may not provide direct control over the underlying iptables configuration.

Using the iptables-save format in a template offers several advantages:

  • Full control: We can define any valid iptables rule, including those not directly supported by ufw.
  • Improved readability: The iptables-save format is well-structured and easier to read and understand, making it simpler to manage complex firewall configurations.
  • Idempotency: Ansible can effectively manage the template, ensuring that the firewall configuration is always in the desired state.

Tasks:

  1. Update the UFW Role:

    • Create a new template file (e.g., iptables.j2) within the role's templates directory.
    • Define the firewall rules in the template using the iptables-save format.
    • Include variables in the template to allow for customization (e.g., allowed IP addresses, ports, services).
    • Modify the role's tasks to use the template module to generate the iptables configuration file from the template.
    • Add a task to load the generated configuration using the iptables-restore command.

  2. Example iptables.j2 Template:

*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
... (other chains)

RULES
{% for rule in rules %}
-A ufw-user-input -p {{ rule.protocol }} -s {{ rule.source }} --dport {{ rule.port }} -j {{ rule.action }}
{% endfor %}
-A ufw-user-input -j DROP

END RULES
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT
  1. Testing and Validation:
    • Create Molecule tests to verify the role's functionality and ensure the generated firewall configuration is correct.
    • Test the role on different Ubuntu Jammy systems to ensure compatibility.

Example Playbook:

- hosts: your_servers
 roles:
   - ufw
 vars:
   rules:
     - protocol: tcp
       source: 10.0.0.0/8
       port: 22
       action: ACCEPT
     - protocol: tcp
       source: 192.168.1.0/24
       port: 80
       action: ACCEPT

Benefits:

  • Enhanced Flexibility: Easily define complex firewall rules and leverage advanced iptables features.
  • Improved Maintainability: Manage firewall configurations in a more structured and readable format.
  • Increased Reliability: Ensure consistent and idempotent firewall configuration across systems.
@kayiwa kayiwa self-assigned this Nov 5, 2024
@kayiwa kayiwa added the bug label Nov 5, 2024
@kayiwa kayiwa mentioned this issue Nov 5, 2024
Open
12 tasks
@acozine acozine mentioned this issue Nov 18, 2024
Open
5 tasks
kayiwa added a commit that referenced this issue Nov 20, 2024
@kayiwa
add a template for user.rules file
915fced 
the order of rules matters in ufw. We add the new defaults for ssh
we create a template file that can allow users to place these rules and
have predictable implementation

Closes #5520
kayiwa added a commit that referenced this issue Nov 20, 2024
@kayiwa
add a template for user.rules file
0e44d83 
the order of rules matters in ufw. We add the new defaults for ssh
we create a template file that can allow users to place these rules and
have predictable implementation

Closes #5520
kayiwa added a commit that referenced this issue Nov 25, 2024
@kayiwa
add a template for user.rules file
53792d8 
the order of rules matters in ufw. We add the new defaults for ssh
we create a template file that can allow users to place these rules and
have predictable implementation

Closes #5520
kayiwa added a commit that referenced this issue Nov 26, 2024
@kayiwa
add a template for user.rules file
44f21c4 
the order of rules matters in ufw. We add the new defaults for ssh
we create a template file that can allow users to place these rules and
have predictable implementation

Closes #5520
@kayiwa
Copy link
Member Author

kayiwa commented Dec 13, 2024

Closed by this PR #5559

@kayiwa kayiwa closed this as completed Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kayiwa kayiwa

Labels
bug maintenance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kayiwa