No network connectivity errors for firewall lab: Ansible advanced course

elvy · September 23, 2025, 8:50pm

Hi there,
My appology for the long explaination of the problem or my attempt to resolve
the issue.

I’m stuck on the following lab in the Advanced Ansible course:
Ansible Modules:
Labs - Modules - Firewall rules:

Here is the distro info:

[thor@ansible-controller ~]$ cat /etc/*release* | head -4
CentOS Stream release 9
NAME="CentOS Stream"
VERSION="9"
ID="centos"
cat: write error: Broken pipe
[thor@ansible-controller ~]$

Question 1/5:

Using an Ansible playbook install firewalld on web1 node,
start and enable its service as well.

Name the playbook as firewall.yml and keep it under ~/playbooks.

[thor@ansible-controller playbooks]$ cat inventory 
web1 ansible_host=172.20.1.100 ansible_ssh_pass=Passw0rd ansible_user=root
[thor@ansible-controller playbooks]$

Here is my playbook:

[thor@ansible-controller playbooks]$ vi firewall.yml
[thor@ansible-controller playbooks]$

[thor@ansible-controller playbooks]$ cat firewall.yml 
---
- name: 'Install firewalld on web1 node'
  hosts: web1
  become: yes
  tasks:
  - name: 'Install firewalld'
    yum:
      name: firewalld
      state: installed

  - name: 'Start and enable firewalld'
    service:
      name: firewalld
      state: started
      enabled: True
[thor@ansible-controller playbooks]$

Now running the playbook generates the following connection error:

[thor@ansible-controller playbooks]$ ansible-playbook -i inventory firewall.yml 

PLAY [Install firewalld on web1 node] ****************************************************

TASK [Install firewalld] *****************************************************************
fatal: [web1]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: connect to host 172.20.1.100 port 22: No route to host", "unreachable": true}

PLAY RECAP *******************************************************************************
web1                       : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   

[thor@ansible-controller playbooks]$

Install iproute to investigate the route issue

[thor@ansible-controller playbooks]$ sudo yum install iproute -y
CentOS Stream 9 - BaseOS                                   13 MB/s | 8.8 MB     00:00 

... ...

Installed:
  iproute-6.14.0-2.el9.x86_64   libbpf-2:1.5.0-2.el9.x86_64   libmnl-1.0.4-16.el9.x86_64  
  psmisc-23.4-3.el9.x86_64     

Complete!
[thor@ansible-controller playbooks]$

Lets verify the ip route

[thor@ansible-controller playbooks]$ ip r s
default via 172.20.1.1 dev eth0 
172.17.0.0/16 dev eth1 proto kernel scope link src 172.17.0.4 
172.20.1.0/24 dev eth0 proto kernel scope link src 172.20.1.2 
[thor@ansible-controller playbooks]$

*** As can be seen, the default route is: “default via 172.20.1.1 dev eth0” ***

Lets show interfaces and ip

[thor@ansible-controller playbooks]$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:14:01:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.20.1.2/24 brd 172.20.1.255 scope global eth0
       valid_lft forever preferred_lft forever
13: eth1@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.4/16 brd 172.17.255.255 scope global eth1
       valid_lft forever preferred_lft forever
[thor@ansible-controller playbooks]$

The ip address of web1 from the inventory is: 172.20.1.100

From my understanding, it’s in the same network as eth0 as
it has the same network prefix: 172.20.1
and route: 172.20.1.0/24

But this is not the case.

When I try to add a new route I get the following error:

[thor@ansible-controller playbooks]$ sudo ip route add 172.20.1.100 via 172.20.1.1
RTNETLINK answers: Operation not permitted
[thor@ansible-controller playbooks]$

I also tried the following just to check:

[thor@ansible-controller playbooks]$ sudo ip route add 172.20.1.100/24 via 172.20.1.1
RTNETLINK answers: Operation not permitted
[thor@ansible-controller playbooks]$

[thor@ansible-controller playbooks]$ sudo ip route add 172.20.1.100/32 via 172.20.1.1
RTNETLINK answers: Operation not permitted
[thor@ansible-controller playbooks]$

Lets install ping to double check that the default is reachable:

[thor@ansible-controller playbooks]$ sudo yum install iputils -y
Last metadata expiration check: 0:14:51 ago on Tue Sep 23 20:03:11 2025.
Dependencies resolved.
... ...
Installed:
  iputils-20210202-15.el9.x86_64                                                          

Complete!
[thor@ansible-controller playbooks]$

Lets try to ping the default gateway:

[thor@ansible-controller playbooks]$ ping 172.20.1.1
ping: socket: Operation not permitted
[thor@ansible-controller playbooks]$

*** As can be seen, the ping command is being blocked by security

So is there a way around this or is the lab still broken?

Thanks in advance

Elvy

rob_kodekloud · September 23, 2025, 9:51pm

The lab looks broken to me as well – 172.20.1.100 does not appear to be up. I’ll write up a ticket on the lab for engineering to fix.

elvy · September 24, 2025, 10:31am

Cheers Rob,
That Lab was a pain for a while as I couldn’t figure out what was wrong.

How long does it take to resolve this?

rob_kodekloud · September 24, 2025, 10:55pm

It was resolved a bit after you asked; please try it again.