Setup firewall rules via systemd hooks

ho-ansible / ansible

Playbooks and config for remote administration

1 stars 0 forks source link

Setup firewall rules via systemd hooks #89

Open seanho00 opened 4 years ago

seanho00 commented 4 years ago

Moved from https://github.com/ho-ansible/tinc/issues/20

Amend systemd unit file for a service by adding ExecStart* entries to /etc/systemd/system/mysvc.service.d/*.conf, e.g.,

[Service]
ExecStartPost=/usr/sbin/iptables -A MYSVC ...
ExecStopPost=/usr/sbin/iptables -F MYSVC

Also, add managed rules to a dedicated iptables chain, which is then enabled with a single rule in the main INPUT chain, and can be separately flushed.

seanho00 commented 4 years ago

Uninstall iptables-persistent and create a systemd service that calls iptables-restore on boot (or prior to network online?), and doesn't do iptables-save on shutdown. Template the default rule set to somewhere in /etc.

seanho00 commented 4 years ago

Another option is firewalld, though the ansible interface is experimental and not tested on Debian.