Automate Linux Firewalld, Iptables, and Cron with Ansible – A Complete Guide

In today’s fast‑moving IT industry, operations teams face increasing demands for server security and stability. Ansible, an open‑source automation tool, offers simple, flexible, and powerful capabilities to meet these challenges.

Cron Module

The cron module lets you create, modify, or delete scheduled tasks on Linux. Key parameters include:

name (required): task name

user : user to run the task (default root)

minute / hour / day / month / weekday : schedule timing (default *)

job : command to execute

state : present/absent (default present)

cron_file : path to cron file (usually /etc/crontab); must be used with

user

Example configurations:

<code># root user runs a job every two hours at the top of the hour
ansible -i hosts 172.139.20.17 -m cron -a "name='test1 cron' job='ls /tmp 2> /dev/null' minute=0 hour=*/2 state=present"

# root user runs a job at 3 and 5 o'clock, stored in /etc/crontab
ansible -i hosts 172.139.20.17 -m cron -a "name='test2 cron' job='ls /tmp 2> /dev/null' user=root minute=0 hour=3,5 cron_file=/etc/crontab state=present"

# delete the test2 cron job from /etc/crontab
ansible -i hosts 172.139.20.17 -m cron -a "name='test2 cron' cron_file=/etc/crontab state=absent"</code>

Iptables Module

The iptables module helps traditional Linux users manage firewall rule chains. Important parameters include:

table : iptables table (e.g., filter)

chain : chain name (default filter)

protocol : network protocol

source / source_port : source address and port

destination / destination_port : destination address and port

ctstate : connection tracking state list

jump : action (e.g., DROP, ACCEPT)

action : append or insert rule

comment : rule annotation

policy : default policy

state : present/absent (default present)

Example configurations:

<code># Allow 172.139.20.x network to access port 9100
ansible -i hosts db -m iptables -a "chain=INPUT source=172.139.20.0/24 protocol=tcp destination_port=9100 jump=ACCEPT comment='The 172.139.20.x address allows access to port 9100'"

# Allow new TCP/22 SYN packets (SSH) only
ansible -i hosts db -m iptables -a "chain=INPUT protocol=tcp destination_port=22 ctstate=NEW syn=match jump=ACCEPT comment='Accept new SSH connections'"

# Accept established/related connections and insert rule at top
ansible -i hosts db -m iptables -a "chain=INPUT ctstate=ESTABLISHED,RELATED jump=ACCEPT action=insert"

# Allow 172.139.20.x network to access ports 22,5432,9999
ansible -i hosts db -m iptables -a "chain=INPUT source=172.139.20.0/24 protocol=tcp match=multiport destination_port=22,5432,9999 jump=ACCEPT"

# Delete the rule that allowed port 9100 for the network above
ansible -i hosts db -m iptables -a "chain=INPUT source=172.139.20.0/24 protocol=tcp destination_port=9100 jump=ACCEPT comment='The 172.139.20.x address allows access to port 9100' state=absent"

# Set default DROP policy for INPUT chain in filter table
ansible -i hosts db -m iptables -a "table=filter chain=INPUT policy=DROP"</code>

Tip: When deleting a rule, all parameters must match exactly for the deletion to succeed.

Firewalld Module

Firewalld is the default firewall manager for CentOS/RHEL 7+ and supports dynamic zones. The firewalld module enables adding or removing rules via Ansible. Key parameters:

port : port definition (e.g., 3000/tcp)

service : predefined service name

rich_rule : complex rule syntax

permanent : persist rule to configuration file

immediate : apply rule immediately when permanent=yes

state (required): enabled/disabled, present/absent (present/absent only for zone‑level operations)

Example configurations:

<code># Open TCP port 3000 for all hosts (non‑persistent)
ansible -i hosts -m firewalld -a "port=3000/tcp state=enabled"

# Open libvirt service and make it persistent
ansible -i hosts -m firewalld -a "service=libvirt permanent=yes immediate=yes state=enabled"

# Allow 172.139.20.0/24 network to access TCP port 3000 via a rich rule
ansible -i hosts -m firewalld -a "rich_rule='rule family=ipv4 source address=172.139.20.0/24 port port=3000 protocol=tcp accept' state=enabled"</code>

Conclusion

By following this guide, you should now be able to use Ansible to manage Firewalld, Iptables, and Cron on Linux systems, improving automation efficiency and reliability. As cloud and container technologies evolve, Ansible’s role in operations will continue to expand.