Fatal编程技术网
  • ansible/
  • Ansible-设置iptable规则将我锁定在SSH之外

Ansible-设置iptable规则将我锁定在SSH之外

ansible

Ansible-设置iptable规则将我锁定在SSH之外,ansible,ansible-2.x,Ansible,Ansible 2.x,我使用Ansible的iptable模块创建了以下iptables规则 在使用Ansible之前,我在bash脚本中有以下规则。SSH锁定是暂时的,因为即使它将我锁定在外,整个脚本仍将运行并打开端口22 我很难用ansible做到这一点。一旦应用了DROP规则,SSH将永远锁定,其余规则将无法运行 有没有办法在Ansible解决这个问题 - iptables: chain: INPUT jump: DROP - iptables: chain: FORWARD

我使用Ansible的iptable模块创建了以下iptables规则

在使用Ansible之前,我在bash脚本中有以下规则。SSH锁定是暂时的,因为即使它将我锁定在外,整个脚本仍将运行并打开端口22

我很难用ansible做到这一点。一旦应用了DROP规则,SSH将永远锁定,其余规则将无法运行

有没有办法在Ansible解决这个问题

- iptables: 
    chain: INPUT
    jump: DROP

- iptables:
    chain: FORWARD
    jump: DROP

- iptables:
    chain: OUTPUT
    jump: DROP

- iptables:
    chain: INPUT
    cstate: RELATED,ESTABLISHED
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    cstate: RELATED,ESTABLISHED
    jump: ACCEPT

- iptables:
    chain: INPUT
    in_interface: lo
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    in_interface: lo
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: udp
    destination_port: 53
    jump: ACCEPT 

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: udp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 22
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 22
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 80
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 80
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 443
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 443
    jump: ACCEPT
不要认为它是可能的不被踢出iptables后下降

无论如何,Ansible不处理规则的保存和/或加载,而是只处理内存中的当前规则

Ansible建议使用模板

- name: insert iptables template
  template: src=iptables.j2 dest=/etc/sysconfig/iptables
  when: ansible_distribution_major_version != '7'
  notify: restart iptables
只需更改iptables调用的顺序即可允许您首先访问:

# put these two rules first so that
# ansible can stay connected
- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 22
    jump: ACCEPT    

- iptables:
    chain: INPUT
    cstate: RELATED,ESTABLISHED
    jump: ACCEPT

# Now do all your more restrictive rules
- iptables: 
    chain: INPUT
    jump: DROP

- iptables:
    chain: FORWARD
    jump: DROP

- iptables:
    chain: OUTPUT
    jump: DROP

- iptables:
    chain: OUTPUT
    cstate: RELATED,ESTABLISHED
    jump: ACCEPT

- iptables:
    chain: INPUT
    in_interface: lo
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    in_interface: lo
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: udp
    destination_port: 53
    jump: ACCEPT 

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: udp
    destination_port: 53
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 22
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 80
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 80
    jump: ACCEPT

- iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 443
    jump: ACCEPT

- iptables:
    chain: OUTPUT
    protocol: tcp
    destination_port: 443
    jump: ACCEPT