使用Ansible安装部署nginx+php+mysql之配置iptables防火墙(0)

前提：

1、已配置好hosts文件且免密码登录

2、需要的yaml文件已上传到主控端

一、使用Ansible配置iptables

1、iptables.yaml文件

---
- hosts: clong
  remote_user: root
  gather_facts: no
  tasks:
    # 停止系统自带的firewalld防火墙 
    - name: stop firewalld
      service: name=firewalld state=stopped
    # 卸载系统自带的firewalld防火墙    
    - name: remove firewalld
      yum: name=firewalld state=absent
    # 安装iptables防火墙  
    - name: install iptables
      yum: name=iptables-services state=present
    # 开启iptables防火墙
    - name: enable iptables
      service: name=iptables state=started enabled=yes  
    # 安装libselinux-python
    - name: install libselinux-python
      yum: name=libselinux-python state=present
    # iptables防火墙配置文件放行80，3306端口 
    - name: copy iptables
      copy: src=iptables  dest=/etc/sysconfig/iptables backup=yes owner=root group=root mode=0600
      notify: restart iptables
    # 重启iptables防火墙
  handlers:
    - name: restart iptables
      service: name=iptables state=restarted

2、iptables文件

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT