使用Ansible安装部署nginx+php+mysql之配置iptables防火墙(0)
前提:
1、已配置好hosts文件且免密码登录
2、需要的yaml文件已上传到主控端
一、使用Ansible配置iptables
1、iptables.yaml文件
1 ---
2 - hosts: clong
3 remote_user: root
4 gather_facts: no
5 tasks:
6 # 停止系统自带的firewalld防火墙
7 - name: stop firewalld
8 service: name=firewalld state=stopped
9 # 卸载系统自带的firewalld防火墙
10 - name: remove firewalld
11 yum: name=firewalld state=absent
12 # 安装iptables防火墙
13 - name: install iptables
14 yum: name=iptables-services state=present
15 # 开启iptables防火墙
16 - name: enable iptables
17 service: name=iptables state=started enabled=yes
18 # 安装libselinux-python
19 - name: install libselinux-python
20 yum: name=libselinux-python state=present
21 # iptables防火墙配置文件放行80,3306端口
22 - name: copy iptables
23 copy: src=iptables dest=/etc/sysconfig/iptables backup=yes owner=root group=root mode=0600
24 notify: restart iptables
25 # 重启iptables防火墙
26 handlers:
27 - name: restart iptables
28 service: name=iptables state=restarted
2、iptables文件
1 # sample configuration for iptables service
2 # you can edit this manually or use system-config-firewall
3 # please do not ask us to add additional ports/services to this default configuration
4 *filter
5 :INPUT ACCEPT [0:0]
6 :FORWARD ACCEPT [0:0]
7 :OUTPUT ACCEPT [0:0]
8 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
9 -A INPUT -p icmp -j ACCEPT
10 -A INPUT -i lo -j ACCEPT
11 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
12 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
13 -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
14 -A INPUT -j REJECT --reject-with icmp-host-prohibited
15 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
16 COMMIT
