Ansible hangs after an iptables-restore even if the stateful connection would normally be allowed
Connection tracking isn't active by default, so the outbound connection is not considered established. This means the outbound SSH communications after an iptables-restore will be dropped. This is not normally an issue since interactive users will attempt to interact with the system (immediately triggering an inbound SSH packet and establishing the connection in netfilter's perspective). Ansible does not attempt this interaction and therefore hangs forever (listening for dropped packets).
iptables-restore an outbound-open ruleset first with connection tracking, then iptables-restore the outbound-restrictive ruleset.
/etc/iptables.workaround
*filter :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED COMMIT
/etc/iptables.rules
*filter :INPUT DROP [0:0] :OUTPUT DROP [0:0] :FORWARD ACCEPT [0:0] -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -A INPUT -j ACCEPT -p tcp -m tcp --dport 22 COMMIT
Ansible
- name: Initialize Firewall Connection Tracking (workaround) shell: /sbin/iptables-restore /etc/iptables.blank - name: Configure Firewall template: src=iptables.j2 dest=/etc/iptables.rules notify: restore /etc/iptables.rules - name: restore /etc/iptables.rules shell: /sbin/iptables-restore /etc/iptables.rules