14.ansible模块之 selinux firewalld iptables

1.1 selinux官方示例

EXAMPLES:

- name: Enable SELinux
  selinux:
    policy: targeted
    state: enforcing

- name: Put SELinux in permissive mode, logging actions that would be blocked.
  selinux:
    policy: targeted
    state: permissive

- name: Disable SELinux
  selinux:
    state: disabled

selinux 防火墙模块ad-hoc：

ansible webservers -m selinux -a 'state=disabled'

2.1 firewalld

官方示例

EXAMPLES:

- firewalld:
    service: https
    permanent: yes
    state: enabled

- firewalld:
    port: 8081/tcp
    permanent: yes
    state: disabled

firewalld防火墙模块：
args:

	zone：		要操作的区域  默认public
	source：	来源地址
        service: 	 服务名称 http,https,sshd,......
	port:		端口
        permanent:	永久生效，但不会立即生效
	immediate：	临时生效；
        state: 		规则启用和关闭；
		disabled
		enabled

2.1.让被控端都放行80端口；

ansible webservers -m systemd -a 'name=firewalld state=started'
ansible webservers -m firewalld -a 'port=80/tcp immediate=yes state=enabled'

2.2.让被控端都放行https端口；

ansible webservers -m systemd -a 'name=firewalld state=started'
ansible webservers -m firewalld -a 'service=https immediate=yes state=present'

3.iptables 防火墙模块：

官方示例：

EXAMPLES:

- name: Block specific IP
  iptables:
    chain: INPUT
    source: 8.8.8.8
    jump: DROP
  become: yes

- name: Forward port 80 to 8600
  iptables:
    table: nat
    chain: PREROUTING
    in_interface: eth0
    protocol: tcp
    match: tcp
    destination_port: 80
    jump: REDIRECT
    to_ports: 8600
    comment: Redirect web traffic to port 8600
  become: yes

3.2 iptables:

args:

    table: 					表
    chain: 					链
    source: 				来源IP
	destination				目标IP
	destination_port		目标端口
	protocol	协议
        jump: DROP	动作
	action		如何添加规则
		insert：插入
		append：追加

3.1.来源IP是192.168.1.1 目标地址 1.1.1.1 目标端口 80 协议 tcp 则拒绝； 规则要写入第一行；

ansible webservers -m iptables -a 'table=filter chain=INPUT source=192.168.1.1/32 destination=1.1.1.1 destination_port=80 protocol=tcp jump=DROP action=insert'

3.2.NAT：SNAT和DNAT：

示例1： DNAT： 如果请求1.1.1:80端口，则DNAT到2.2.2.2:8800

ansible webservers -m iptables -a 'table=nat chain=PREROUTING protocol=tcp destination=1.1.1.1 destination_port=80 jump=DNAT to_destination="2.2.2.2:8800"'

示例2：DNAT： 如果请求1.1.1:81端口，则DNAT到3.3.3.3:8800

ansible webservers -m iptables -a 'table=nat chain=PREROUTING protocol=tcp destination=1.1.1.1 destination_port=81 jump=DNAT to_destination="3.3.3.3:8800"'

示例3：SNAT:
POSTROUTING
iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 5.5.5.5

ansible webservers -m iptables -a 'table=nat chain=POSTROUTING source=172.16.2.0/24 jump=SNAT to_source=6.6.6.6'
ansible webservers -m iptables -a 'table=nat chain=POSTROUTING source=172.16.3.0/24 jump=SNAT to_source=7.7.7.7 action=insert'