| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236 |
- ---
- - name: "Update firewall rules for Zabbix agent"
- hosts: all
- gather_facts: True
- become: true
- # Put the IPs/hostnames of Zabbix servers and proxies here:
- vars:
- OLDMONSRC:
- - ***CONTENTS REDACTED***
- - ***CONTENTS REDACTED***
- MONSRC:
- - ***CONTENTS REDACTED***
- OLDMONSRCRANGE:
- - ***CONTENTS REDACTED***
- MONSRCRANGE:
- - ***CONTENTS REDACTED***
- tasks:
- - name: "msg print to stdout: Debug ansible_facts"
- debug:
- msg:
- # - "{{ ansible_facts.service_mgr }}"
- - ansible_facts.distribution "{{ ansible_facts.distribution }}"
- - ansible_facts.distribution_major_version "{{ ansible_facts.distribution_major_version }}"
- - ansible_facts.distribution_file_variety "{{ ansible_facts.distribution_file_variety }}"
- #- "{{ ansible_facts.services_iptables'].state }}"
- #- ansible_facts.services "{{ ansible_facts.services }}"
- - name: Gather package facts
- package_facts:
- manager: auto
- - name: Populate systemd service_facts
- service_facts:
- - name: Show MONSRC variables
- debug:
- msg: "MONSRCs: {{ MONSRC[0-1] }}"
- - debug:
- msg:
- - ansible_facts.services['firewalld.service'] "{{ ansible_facts.services['firewalld.service'] }}"
- when: "'firewalld.service' in services"
- - debug:
- msg:
- - ansible_facts.services['iptables.service'] "{{ ansible_facts.services['iptables.service'] }}"
- when: "'iptables.service' in services"
- - debug:
- msg:
- - ansible_all_ipv4_addresses "{{ ansible_all_ipv4_addresses}}"
- - name: Gather package facts
- package_facts:
- manager: auto
- - name: Populate systemd service_facts
- service_facts:
- - name: Set variable to indicate which firewall method is being used by a systemd
- set_fact:
- FW_METHOD: "ufw"
- when: "'ufw' in ansible_facts.packages"
- - name: Set variable to indicate which firewall method is being used by a systemd
- set_fact:
- FW_METHOD: "iptables"
- when: "'iptables' in ansible_facts.packages"
- - name: Set variable to indicate which firewall method is being used by a systemd
- set_fact:
- FW_METHOD: "firewalld"
- when:
- - ansible_facts.distribution_file_variety != "Debian"
- - ansible_facts.services['firewalld.service']['status'] == 'enabled' or ansible_facts.services['firewalld.service']['status'] == 'running'
- - name: Show value of FW_METHOD
- debug:
- msg: FW_METHOD is "{{ FW_METHOD }}"
- #################################
- # Determine and set the firewall method
- - name: Set variable to indicate which firewall method is being used by a systemd
- set_fact:
- FW_METHOD: "ufw"
- when: "'ufw' in ansible_facts.packages"
- - name: Set variable to indicate which firewall method is being used by a systemd
- set_fact:
- FW_METHOD: "firewalld"
- when:
- - ansible_facts.distribution_file_variety != "Debian"
- - ansible_facts.services['firewalld.service']['status'] == 'enabled' or ansible_facts.services['firewalld.service']['status'] == 'running'
- - name: Set variable to indicate which firewall method is being used by a systemd
- set_fact:
- FW_METHOD: "firewalld"
- when:
- - ansible_facts.distribution_file_variety != "Debian"
- - ansible_facts.services['iptables.service']['status'] == 'enabled' or ansible_facts.services['iptables.service']['status'] == 'running'
- - name: Set variable to indicate which firewall method is being used by a systemd
- set_fact:
- FW_METHOD: "iptables"
- when: "'iptables' in ansible_facts.packages"
- - name: Show value of FW_METHOD
- debug:
- msg: FW_METHOD is "{{ FW_METHOD }}"
- - name: allow :10050-10051/tcp incoming using firewalld
- firewalld:
- port: 10050-10051/tcp
- permanent: True
- state: enabled
- immediate: True
- when: FW_METHOD == "firewalld"
- ########## iptables section #################################################################################################################
- - name: Remove old $OLDMONSRC0 ("{{ OLDMONSRC[0] }}") if iptables.service is enabled
- iptables:
- action: insert
- chain: INPUT
- source: "{{ OLDMONSRC[0] }}"
- protocol: tcp
- destination_port: 10050:10051
- state: absent
- jump: ACCEPT
- when: FW_METHOD == "iptables"
- ignore_errors: true
- - name: Remove old $OLDMONSRC1 ("{{ OLDMONSRC[1] }}") if iptables.service is enabled
- iptables:
- action: insert
- chain: INPUT
- source: "{{ OLDMONSRC[0] }}"
- protocol: tcp
- destination_port: 10050:10051
- state: absent
- jump: ACCEPT
- when: FW_METHOD == "iptables"
- ignore_errors: true
- - name: Open 10050/tcp from $MONSRC0 ("{{ MONSRC[0] }}") if iptables.service is enabled
- iptables:
- action: insert
- chain: INPUT
- source: "{{ MONSRC[0] }}"
- protocol: tcp
- destination_port: 10050:10051
- state: present
- jump: ACCEPT
- when: FW_METHOD == "iptables"
- ignore_errors: true
- - name: Open 10050/tcp if iptables.service is enabled AND IP contains 10135
- iptables:
- action: insert
- chain: INPUT
- source: "{{ MONSRC[1] }}"
- protocol: tcp
- destination_port: 10050:10051
- state: present
- jump: ACCEPT
- when:
- - FW_METHOD == "iptables"
- - ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***")
- ignore_errors: true
- - name: Remove 10050/tcp from $OLDMONSRCRANGE0 ("{{ OLDMONSRCRANGE[0] }}") if iptables.service is enabled
- iptables:
- action: insert
- chain: INPUT
- src_range: "{{ OLDMONSRCRANGE[0] }}"
- protocol: tcp
- destination_port: 10050:10051
- state: absent
- jump: ACCEPT
- when: FW_METHOD == "iptables"
- ignore_errors: true
- - name: Open 10050/tcp from $MONSRCRANGE0 ("{{ MONSRCRANGE[0] }}") if iptables.service is enabled
- iptables:
- action: insert
- chain: INPUT
- src_range: "{{ MONSRCRANGE[0] }}"
- protocol: tcp
- destination_port: 10050:10051
- state: present
- jump: ACCEPT
- when: FW_METHOD == "iptables"
- ignore_errors: true
- - name: Open 10050/tcp from ***CONTENTS REDACTED*** if iptables.service is enabled and IP contains ***CONTENTS REDACTED***, ***CONTENTS REDACTED***, ***CONTENTS REDACTED***
- iptables:
- action: insert
- chain: INPUT
- src_range: "***CONTENTS REDACTED***"
- protocol: tcp
- destination_port: 10050:10051
- state: present
- jump: ACCEPT
- when:
- - FW_METHOD == "iptables"
- - ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***") or ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***") or ansible_all_ipv4_addresses is search("***CONTENTS REDACTED***")
- ignore_errors: true
- - name: Save current state of the firewall in system file if iptables is enabled
- iptables_state:
- state: saved
- path: /etc/sysconfig/iptables
- when: FW_METHOD == "iptables"
- ignore_errors: true
- ########## ufw section ######################################################################################################################
- # Allow connections to :10050 on systems using UFW:
- - name: allow :10050/tcp incoming, ufw
- ufw:
- rule: allow
- port: '10050'
- proto: tcp
- comment: Zabbix agent on 10050
- when: FW_METHOD == "ufw"
- ignore_errors: true
- ######### End of firewall stuff ############################################################################################################
- ############################################################################################################################################
- ############################################################################################################################################
|
