this post was submitted on 10 Apr 2025
27 points (96.6% liked)

Selfhosted

60093 readers
815 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 30 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
27
Ansible iptables best practices? (sh.itjust.works)
submitted 1 year ago* (last edited 1 year ago) by someacnt@sh.itjust.works to c/selfhosted@lemmy.world
19 comments fedilink hide all child comments
 

I am currently looking into ansibles to store my configurations and deploy services more easily.

I have couple of iptable rules in /etc/iptables/rules.v4, which I can easily restore. Meanwhile, ansible has iptable role for configurations - hence, I am confused on what approach to take.

How do I persist this rules, especially across reboots? Should I rerun ansible every time on each reboot? I am at loss on how to best manage iptables, as other services can interact with it. How do you folks handle this? Thanks in advance!

you are viewing a single comment's thread
view the rest of the comments
[–] mhzawadi@lemmy.horwood.cloud 4 points 1 year ago (1 children)

I have used both, can tell you that a template file of /etc/iptables/rules.v4 with iptables-persistent is the easiest way.

if you go the full IaC route and have vars for the rules, remember to get iptables to save its state after you have applied your rules

[–] someacnt@sh.itjust.works 1 points 1 year ago (1 children)

Thank you! Templating rules.v4 is a pretty attractive option. Though my VPS has some portions of the file which should be unmodified, so I would have to avoid this method.

[–] mhzawadi@lemmy.horwood.cloud 2 points 1 year ago (1 children)

That's the point of the template, you change the bits the need change and the bits that are static get templated

[–] someacnt@sh.itjust.works 1 points 1 year ago* (last edited 1 year ago) (1 children)

How do I keep some of the existing firewall rules (which is dependent on host) in the remote file, and change the other parts?

[–] polarity_inverter@startrek.website 1 points 1 year ago (2 children)

You could either copy them to the top of your template, or you could take a look at the blockinfile module

[–] mhzawadi@lemmy.horwood.cloud 1 points 1 year ago

The way I have my file, is a load of default stuff. Like block windows ports and allow SSH.

With a for loop that adds stuff for a specific host, like allow http/s for the web server.

[–] someacnt@sh.itjust.works 1 points 1 year ago

Thanks a lot! I will go with the blockinfile, sounds promising.