From 5b59636d45725c4fc77e78487476e6525af6c28b Mon Sep 17 00:00:00 2001 From: Ahmad Wilson Date: Thu, 9 Feb 2023 10:33:29 -0500 Subject: [PATCH] add option to allow specified ingress ports via iptables --- README.md | 1 + tasks/common/network-setup.yml | 12 ++++++++++++ tasks/main.yml | 4 ++++ 3 files changed, 17 insertions(+) create mode 100644 tasks/common/network-setup.yml diff --git a/README.md b/README.md index 3c9b3b0..6cdfe79 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ Configure and operate a basic cloud-native service: running anything from cypto | _config_ | configuration files associated with the service to mount | `{}` | | _configEnv_ | environment variables to set within the service runtime | `{}` | | _ports_ | listening port information for a service | `{}` | +| _setup_iptables_ | configure IP tables to allow ingress paths | `false` | | _hostDataDir_ | host directory to store node runtime/operational data | `/var/tmp` | | _dataDir_ | container directory to store node runtime/operational data | `/tmp` | | _workDir_ | operational directory to store runtime artifacts | `/var/tmp` | diff --git a/tasks/common/network-setup.yml b/tasks/common/network-setup.yml new file mode 100644 index 0000000..1505cbd --- /dev/null +++ b/tasks/common/network-setup.yml @@ -0,0 +1,12 @@ +--- +- name: Determine service ingress port list for iptables config + ansible.builtin.set_fact: + ingressList: "{{ ingressList + [item.value.ingressPort | string] }}" + with_dict: "{{ ports }}" + +- name: Allow service ingress ports in iptables setup + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_ports: "{{ ingressList }}" + jump: ACCEPT diff --git a/tasks/main.yml b/tasks/main.yml index 2ab2346..d11992c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,3 +4,7 @@ - name: Setup service infrastructure topology ansible.builtin.include_tasks: "{{ setupMode }}/setup.yml" + +- name: Manage networking and IP tables setup + when: setup_iptables|bool + ansible.builtin.include_tasks: "common/network-setup.yml"