--- - name: "Update firewall rules for Zabbix agent" hosts: all gather_facts: True become: true # Put the IPs/hostnames of Zabbix servers and proxies here: vars: OLDMONSRC: - ***CONTENTS REDACTED*** - ***CONTENTS REDACTED*** MONSRC: - ***CONTENTS REDACTED*** OLDMONSRCRANGE: - ***CONTENTS REDACTED*** MONSRCRANGE: - ***CONTENTS REDACTED*** tasks: - name: "msg print to stdout: Debug ansible_facts" debug: msg: # - "{{ ansible_facts.service_mgr }}" - ansible_facts.distribution "{{ ansible_facts.distribution }}" - ansible_facts.distribution_major_version "{{ ansible_facts.distribution_major_version }}" - ansible_facts.distribution_file_variety "{{ ansible_facts.distribution_file_variety }}" #- "{{ ansible_facts.services_iptables'].state }}" #- ansible_facts.services "{{ ansible_facts.services }}" - name: Gather package facts package_facts: manager: auto - name: Populate systemd service_facts service_facts: - name: Show MONSRC variables debug: msg: "MONSRCs: {{ MONSRC[0-1] }}" - debug: msg: - ansible_facts.services['firewalld.service'] "{{ ansible_facts.services['firewalld.service'] }}" when: "'firewalld.service' in services" - debug: msg: - ansible_facts.services['iptables.service'] "{{ ansible_facts.services['iptables.service'] }}" when: "'iptables.service' in services" - debug: msg: - ansible_all_ipv4_addresses "{{ ansible_all_ipv4_addresses}}" - name: Gather package facts package_facts: manager: auto - name: Populate systemd service_facts service_facts: - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "ufw" when: "'ufw' in ansible_facts.packages" - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "iptables" when: "'iptables' in ansible_facts.packages" - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "firewalld" when: - ansible_facts.distribution_file_variety != "Debian" - ansible_facts.services['firewalld.service']['status'] == 'enabled' or ansible_facts.services['firewalld.service']['status'] == 'running' - name: Show value of FW_METHOD debug: msg: FW_METHOD is "{{ FW_METHOD }}" ################################# # Determine and set the firewall method - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "ufw" when: "'ufw' in ansible_facts.packages" - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "firewalld" when: - ansible_facts.distribution_file_variety != "Debian" - ansible_facts.services['firewalld.service']['status'] == 'enabled' or ansible_facts.services['firewalld.service']['status'] == 'running' - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "firewalld" when: - ansible_facts.distribution_file_variety != "Debian" - ansible_facts.services['iptables.service']['status'] == 'enabled' or ansible_facts.services['iptables.service']['status'] == 'running' - name: Set variable to indicate which firewall method is being used by a systemd set_fact: FW_METHOD: "iptables" when: "'iptables' in ansible_facts.packages" - name: Show value of FW_METHOD debug: msg: FW_METHOD is "{{ FW_METHOD }}" - name: allow :10050-10051/tcp incoming using firewalld firewalld: port: 10050-10051/tcp permanent: True state: enabled immediate: True when: FW_METHOD == "firewalld" ########## iptables section ################################################################################################################# - name: Remove old $OLDMONSRC0 ("{{ OLDMONSRC[0] }}") if iptables.service is enabled iptables: action: insert chain: INPUT source: "{{ OLDMONSRC[0] }}" protocol: tcp destination_port: 10050:10051 state: absent jump: ACCEPT when: FW_METHOD == "iptables" ignore_errors: true - name: Remove old $OLDMONSRC1 ("{{ OLDMONSRC[1] }}") if iptables.service is enabled iptables: action: insert chain: INPUT source: "{{ OLDMONSRC[0] }}" protocol: tcp destination_port: 10050:10051 state: absent jump: ACCEPT when: FW_METHOD == "iptables" ignore_errors: true - name: Open 10050/tcp from $MONSRC0 ("{{ MONSRC[0] }}") if iptables.service is enabled iptables: action: insert chain: INPUT source: "{{ MONSRC[0] }}" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: FW_METHOD == "iptables" ignore_errors: true - name: Open 10050/tcp if iptables.service is enabled AND IP contains 10135 iptables: action: insert chain: INPUT source: "{{ MONSRC[1] }}" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: - FW_METHOD == "iptables" - ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***") ignore_errors: true - name: Remove 10050/tcp from $OLDMONSRCRANGE0 ("{{ OLDMONSRCRANGE[0] }}") if iptables.service is enabled iptables: action: insert chain: INPUT src_range: "{{ OLDMONSRCRANGE[0] }}" protocol: tcp destination_port: 10050:10051 state: absent jump: ACCEPT when: FW_METHOD == "iptables" ignore_errors: true - name: Open 10050/tcp from $MONSRCRANGE0 ("{{ MONSRCRANGE[0] }}") if iptables.service is enabled iptables: action: insert chain: INPUT src_range: "{{ MONSRCRANGE[0] }}" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: FW_METHOD == "iptables" ignore_errors: true - name: Open 10050/tcp from ***CONTENTS REDACTED*** if iptables.service is enabled and IP contains ***CONTENTS REDACTED***, ***CONTENTS REDACTED***, ***CONTENTS REDACTED*** iptables: action: insert chain: INPUT src_range: "***CONTENTS REDACTED***" protocol: tcp destination_port: 10050:10051 state: present jump: ACCEPT when: - FW_METHOD == "iptables" - ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***") or ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***") or ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***") ignore_errors: true - name: Save current state of the firewall in system file if iptables is enabled iptables_state: state: saved path: /etc/sysconfig/iptables when: FW_METHOD == "iptables" ignore_errors: true ########## ufw section ###################################################################################################################### # Allow connections to :10050 on systems using UFW: - name: allow :10050/tcp incoming, ufw ufw: rule: allow port: '10050' proto: tcp comment: Zabbix agent on 10050 when: FW_METHOD == "ufw" ignore_errors: true ######### End of firewall stuff ############################################################################################################ ############################################################################################################################################ ############################################################################################################################################