Question

我开始使用Ansible开发一个在系统iptables上执行某些操作的剧本。我有一台服务器，我想阻止除一个或多个IP之外的所有IP。

我真的不知道如何使用ansible模块编写iptables规则。我需要：

删除所有传入的流量（iptables -P INPUT DROP）
删除所有传入流量（iptables -P INPUT DROP）
删除所有转发的流量（iptables -P FORWARD DROP）
允许所有传出流量（iptables -P OUTPUT ACCEPT）
iptables -A INPUT -p tcp -m tcp -s ipaddress --dport 22 -j ACCEPT

到目前为止，我已经创建了这本Playbook：

---

  - hosts: localhost
    remote_user: sysadmin
    become: true

    vars:
      host_name: localhost

    tasks:

  # Drop all incoming traffic
  # iptables -P INPUT DROP
     - iptables:
         chain: INPUT
         protocol: all
         jump: DROP
       become: yes


  # Drop all forwarded traffic
  # iptables -P FORWARD DROP
     - iptables:
         chain: FORWARD
         source: all
         jump: DROP
       become: yes

  # Allow all outgoing traffic
  #iptables -P OUTPUT ACCEPT
     - iptables:
         chain: OUTPUT
         source: all
         jump: ACCEPT
       become: yes

  # Allow all outgoing traffic
  # iptables -A INPUT -p tcp -m tcp -s xx.xx.xx.xx/32 --dport 22 -j ACCEPT
     - iptables:
         action: append
         chain: INPUT
         protocol: tcp
         source: ip_address
         destination_port: 22
         jump: ACCEPT
       become: yes

Answer 1

我解决了不同的步骤：

iptables -A INPUT -s 2.228.104.210 -j ACCEPT
iptables -A OUTPUT -d 2.228.104.210 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

工作剧本：

---

  - hosts: localhost
    remote_user: sysadmin
    become: true

    vars:
      host_name: localhost

    tasks:

     - iptables:
         chain: INPUT
         source: 192.168.1.1
         jump: ACCEPT
       become: yes


     - iptables:
         chain: OUTPUT
         destination: 192.168.1.1
         jump: ACCEPT
       become: yes


     - iptables:
         chain: INPUT
         policy: DROP
       become: yes


     - iptables:
         chain: OUTPUT
         policy: DROP
       become: yes

Ansible playbook block ALL IP排除一个或多个IP

1 个答案: