Ansible - 设置iptable规则将我锁定在SSH之外

时间:2017-06-28 09:39:01

标签: ansible ansible-2.x

我已使用Ansible的iptable模块创建了以下iptables规则。

在使用Ansible之前,我在bash脚本中有以下规则。 SSH锁定是暂时的,因为即使它锁定了我,整个脚本也会运行并打开端口22

我无法通过ansible实现这一目标。一旦应用DROP规则,SSH就会永远锁定,其余规则无法运行。

有什么方法可以在Ansible中解决这个问题吗?

- iptables: 
    chain: INPUT
    jump: DROP

- iptables:
    chain: FORWARD
    jump: DROP

- iptables:
    chain: OUTPUT
    jump: DROP

- iptables:
    chain: INPUT
    cstate: RELATED,ESTABLISHED
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    cstate: RELATED,ESTABLISHED
    jump: ACCEPT

- iptables:
    chain: INPUT
    in_interface: lo
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    in_interface: lo
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: udp
    destination_port: 53
    jump: ACCEPT 

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: udp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 22
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 22
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 80
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 80
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 443
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 443
    jump: ACCEPT

2 个答案:

答案 0 :(得分:0)

不要认为在丢弃之后不会被iptables踢掉......

无论如何,Ansible不处理规则的保存和/或加载,而只是处理内存中存在的当前规则。

Ansible的official example建议使用模板。

- name: insert iptables template
  template: src=iptables.j2 dest=/etc/sysconfig/iptables
  when: ansible_distribution_major_version != '7'
  notify: restart iptables

答案 1 :(得分:-1)

只需将iptables来电的订单更改为允许您先访问的权限:

# put these two rules first so that
# ansible can stay connected
- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 22
    jump: ACCEPT    

- iptables:
    chain: INPUT
    cstate: RELATED,ESTABLISHED
    jump: ACCEPT

# Now do all your more restrictive rules
- iptables: 
    chain: INPUT
    jump: DROP

- iptables:
    chain: FORWARD
    jump: DROP

- iptables:
    chain: OUTPUT
    jump: DROP

- iptables:
    chain: OUTPUT
    cstate: RELATED,ESTABLISHED
    jump: ACCEPT

- iptables:
    chain: INPUT
    in_interface: lo
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    in_interface: lo
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: udp
    destination_port: 53
    jump: ACCEPT 

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: udp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 22
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 80
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 80
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 443
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 443
    jump: ACCEPT
相关问题
最新问题