我开始使用 Ansible 开发一个 playbook,在系统 iptables 上执行一些操作。 我有一台服务器,我想阻止除一个或多个 IP 之外的所有 IP。
我真的不知道如何使用ansible模块编写iptables规则。我需要:
- 丢弃所有传入流量 (iptables -P 输入丢弃)
- 删除所有传入流量 (iptables -P INPUT DROP)
- 删除所有转发流量 (iptables -P FORWARD DROP)
- 允许所有传出流量(iptables -P OUTPUT ACCEPT)
- iptables -A 输入 -p tcp -m tcp -s ipaddress --dport 22 -j 接受
到目前为止,我已经创建了这个 Playbook:
---
- hosts: localhost
remote_user: sysadmin
become: true
vars:
host_name: localhost
tasks:
# Drop all incoming traffic
# iptables -P INPUT DROP
- iptables:
chain: INPUT
protocol: all
jump: DROP
become: yes
# Drop all forwarded traffic
# iptables -P FORWARD DROP
- iptables:
chain: FORWARD
source: all
jump: DROP
become: yes
# Allow all outgoing traffic
#iptables -P OUTPUT ACCEPT
- iptables:
chain: OUTPUT
source: all
jump: ACCEPT
become: yes
# Allow all outgoing traffic
# iptables -A INPUT -p tcp -m tcp -s xx.xx.xx.xx/32 --dport 22 -j ACCEPT
- iptables:
action: append
chain: INPUT
protocol: tcp
source: ip_address
destination_port: 22
jump: ACCEPT
become: yes
最佳答案
我解决了采取不同步骤的问题:
- iptables -A 输入 -s 2.228.104.210 -j 接受
- iptables -A 输出 -d 2.228.104.210 -j 接受
- iptables -P 输入丢弃
- iptables -P 输出下降
以及工作手册:
---
- hosts: localhost
remote_user: sysadmin
become: true
vars:
host_name: localhost
tasks:
- iptables:
chain: INPUT
source: 192.168.1.1
jump: ACCEPT
become: yes
- iptables:
chain: OUTPUT
destination: 192.168.1.1
jump: ACCEPT
become: yes
- iptables:
chain: INPUT
policy: DROP
become: yes
- iptables:
chain: OUTPUT
policy: DROP
become: yes
关于module - Ansible playbook 阻止所有 IP 排除一个或多个 IP,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46421823/