Inicio Explorar Ayuda
Registro Iniciar sesión
shixiong
/
okd
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Árbol: 37788eb759
Ramas Etiquetas
okd
/
roles
/
os_firewall
/
tasks
/
firewall
/
iptables.yml

iptables.yml 2.1 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 
  1. ---
    2. 

  2. - name: Check if firewalld is installed
    3. 

  3.   command: rpm -q firewalld
    4. 

  4.   args:
    5. 

  5.     # Disables the following warning:
    6. 

  6.     # Consider using yum, dnf or zypper module rather than running rpm
    7. 

  7.     warn: no
    8. 

  8.   register: pkg_check
    9. 

  9.   failed_when: pkg_check.rc > 1
    10. 

  10.   changed_when: no
    11. 

  11. 

  12. - name: Ensure firewalld service is not enabled
    13. 

  13.   service:
    14. 

  14.     name: firewalld
    15. 

  15.     state: stopped
    16. 

  16.     enabled: no
    17. 

  17.   when: pkg_check.rc == 0
    18. 

  18. 

  19. # TODO: submit PR upstream to add mask/unmask to service module
    20. 

  20. - name: Mask firewalld service
    21. 

  21.   command: systemctl mask firewalld
    22. 

  22.   register: result
    23. 

  23.   changed_when: "'firewalld' in result.stdout"
    24. 

  24.   when: pkg_check.rc == 0
    25. 

  25.   ignore_errors: yes
    26. 

  26. 

  27. - name: Install iptables packages
    28. 

  28.   action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
    29. 

  29.   with_items:
    30. 

  30.   - iptables
    31. 

  31.   - iptables-services
    32. 

  32.   register: install_result
    33. 

  33.   when: not openshift.common.is_atomic | bool
    34. 

  34. 

  35. - name: Reload systemd units
    36. 

  36.   command: systemctl daemon-reload
    37. 

  37.   when: install_result | changed
    38. 

  38. 

  39. - name: Determine if iptables service masked
    40. 

  40.   command: >
    41. 

  41.     systemctl is-enabled {{ item }}
    42. 

  42.   with_items:
    43. 

  43.   - iptables
    44. 

  44.   - ip6tables
    45. 

  45.   register: os_firewall_iptables_masked_output
    46. 

  46.   changed_when: false
    47. 

  47.   failed_when: false
    48. 

  48. 

  49. - name: Unmask iptables service
    50. 

  50.   command: >
    51. 

  51.     systemctl unmask {{ item }}
    52. 

  52.   with_items:
    53. 

  53.   - iptables
    54. 

  54.   - ip6tables
    55. 

  55.   when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')"
    56. 

  56. 

  57. - name: Start and enable iptables service
    58. 

  58.   service:
    59. 

  59.     name: iptables
    60. 

  60.     state: started
    61. 

  61.     enabled: yes
    62. 

  62.   register: result
    63. 

  63. 

  64. - name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
    65. 

  65.   pause: seconds=10
    66. 

  66.   when: result | changed
    67. 

  67. 

  68. - name: Add iptables allow rules
    69. 

  69.   os_firewall_manage_iptables:
    70. 

  70.     name: "{{ item.service }}"
    71. 

  71.     action: add
    72. 

  72.     protocol: "{{ item.port.split('/')[1] }}"
    73. 

  73.     port: "{{ item.port.split('/')[0] }}"
    74. 

  74.   with_items: "{{ os_firewall_allow }}"
    75. 

  75. 

  76. - name: Remove iptables rules
    77. 

  77.   os_firewall_manage_iptables:
    78. 

  78.     name: "{{ item.service }}"
    79. 

  79.     action: remove
    80. 

  80.     protocol: "{{ item.port.split('/')[1] }}"
    81. 

  81.     port: "{{ item.port.split('/')[0] }}"
    82. 

  82.   with_items: "{{ os_firewall_deny }}"
    83.