Ansible 批量修改远程主机iptables记录

---
- hosts: '{{ host }}'
  user: root
  tasks:

  - name: 删除所有22992和10050端口防火墙规则
  #参考 https://www.cnblogs.com/shoufu/p/14764646.html
    lineinfile:
      path: /etc/sysconfig/iptables
      state: absent
      regexp: '.*(22992|10050|禁止非授权修改)'

  - name: 添加指定的SSH端口防火墙规则
  #参考 https://www.cnblogs.com/shoufu/p/14764646.html
    blockinfile:
      path: /etc/sysconfig/iptables
      marker: "\n# {mark} SSH端口22992规则,禁止非授权修改"
      insertafter: "-A INPUT -i lo -j ACCEPT"
      block: |
        -A INPUT -s 172.25.110.31/32     -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "jenkins内网-SSH_PORT"             -j ACCEPT
        -A INPUT -s 172.30.200.249/32    -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "内网VPN-SSH_PORT" -j ACCEPT
        -A INPUT -s 172.25.200.200/32    -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "内网VPN-SSH_PORT" -j ACCEPT
        -A INPUT -s 172.20.200.200/32    -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "内网VPN-SSH_PORT" -j ACCEPT
        -A INPUT -s 172.19.3.200/32      -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "内网VPN-SSH_PORT" -j ACCEPT
        -A INPUT -s 172.19.7.200/32      -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "内网VPN-SSH_PORT" -j ACCEPT
        -A INPUT -s 172.19.7.200/32      -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "内网VPN-SSH_PORT" -j ACCEPT
        -A INPUT -s 172.19.7.200/32      -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "内网VPN-SSH_PORT" -j ACCEPT
        -A INPUT -s 172.19.7.200/32      -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,22992 -m comment --comment "内网VPN-SSH_PORT" -j ACCEPT

  - name: 添加指定的Zabbix端口防火墙规则
  #参考 https://www.cnblogs.com/shoufu/p/14764646.html
    blockinfile:
      path: /etc/sysconfig/iptables
      marker: "\n# {mark} Zabbix端口10500规则,禁止非授权修改"
      insertafter: "END SSH端口22992规则,禁止非授权修改"
      block: |
        -A INPUT -s 172.30.199.2/32      -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 10050:10053 -m comment --comment "ZAABIX_内网_PORT" -j ACCEPT
        -A INPUT -s 172.25.200.10/32     -p tcp -m tcp -m state --state NEW,ESTABLISHED -m multiport --dports 10050:10053 -m comment --comment "ZAABIX_内网网_PORT" -j ACCEPT

  # - name: 重启防火墙和docker
  #  shell: systemctl restart iptables.service docker.service

执行方法

ansible-playbook -i ~/GIT/serverlist/server_list_17225.txt Edit_iptables.yml -e "host=172_25_test"

Ansible 批量修改远程主机iptables记录

  • 本文由 发表于 2022年5月23日04:29:31
  • 除非特殊声明,本站文章均为原创,转载请务必保留本文链接
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: