Using Ansible Firewall Rules

45 minutes
  • 7 Learning Objectives

About this Hands-on Lab

Being able to use Ansible to create and change firewall rules is a valuable skill. On top of that, it is now an objective of the *Red Hat Certified Ansible Specialist* exam.

In this lab we will create playbooks using the firewalld module, and use them to perform firewall related tasks.
Note: Ansible has been setup and configured for use which will save you time when doing this Hands-On Lab.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Sign on to the Ansible Control Node Server as cloud_user and change to the `ansible` user. Test to ensure that Ansible has been set up for you.
  1. Sign in to the server called Ansible Control Node using the cloud_user, and then change to the ansible user via the su - ansible command.
  2. Test that Ansible is working via an ad-hoc command. We can use the following:

    ansible all -m ping
Ensure that `firewalld` is not installed on the Ansible nodes, `node1` and `node2`
  1. Check that firewalld is not installed on the nodes:

    ssh node1
    sudo systemctl status firewalld
  2. Use exit to move onto the next node check:

    ssh node2
    sudo systemctl status firewalld
Using an Ansible playbook, install the Apache Web Server, `httpd` and also `elinks` onto the Ansible nodes and start the Apache Web Server.
  1. Create the playbook:

    vim setup-server.yml
  2. The playbook file could appear like so for the installations, plus enabling and starting the Apache Web Server:
---
- hosts: all
  user: ansible
  become: yes
  gather_facts: no
  tasks:
    - name: install elinks
      action: yum name=elinks state=installed
    - name: install httpd
      action: yum name=httpd state=installed
    - name: Enable Apache on system reboot
      service: name=httpd enabled=yes
    - name: Start service httpd, if not started
      service:
        name: httpd
        state: started
Ensure the webserver is working and test that apache on the nodes can be accessed.
  1. Using the elinks command. We will verify that we can see the Apache HTTP Server test page on the 2 Ansible nodes with the following commands:

    elinks http://node1
    elinks http://node2
Using the playbook, install `firewalld` on the Ansible nodes. Ensure the `firewalld` is running. Test the Apache test pages are not avaiable.
  1. Make changes to the playbook for installing firewalld:
---
- hosts: all
  user: ansible
  become: yes
  gather_facts: no
  tasks:
    - name: install elinks
      action: yum name=elinks state=installed
    - name: install httpd
      action: yum name=httpd state=installed
    - name: Enable Apache on system reboot
      service: name=httpd enabled=yes
    - name: Start service httpd, if not started
      service:
        name: httpd
        state: started
    - name: install firewalld
      action: yum name=firewalld state=installed
    - name: Enable firewalld on system reboot
      service: name=firewalld enabled=yes
    - name: Start service firewalld, if not started
      service:
        name: firewalld
        state: started
  1. Save and exit.

  2. Run the playbook with the changes applied:

    vim setup-server.yml
    ansible-playbook setup-server.yml
  3. Verify that we are unable to access the test pages on node1 and node2 with the following commands:

    elinks http://node1
    elinks http://node2

    Note: We will be unable to access the test pages because the firewall will be blocking them.

Change the Ansible playbook to add the firewall rule to allow port 80.
  1. Make changes to the playbook for installing firewalld:
---
- hosts: all
  user: ansible
  become: yes
  gather_facts: no
  tasks:
    - name: install elinks
      action: yum name=elinks state=installed
    - name: install httpd
      action: yum name=httpd state=installed
    - name: Enable Apache on system reboot
      service: name=httpd enabled=yes
    - name: Start service httpd, if not started
      service:
        name: httpd
        state: started
    - name: install firewalld
      action: yum name=firewalld state=installed
    - name: Enable firewalld on system reboot
      service: name=firewalld enabled=yes
    - firewalld:
        service: http
          permanent: yes
          state: enabled
      - name: Restart service firewalld
        service:
        name: firewalld
        state: restarted
  1. Save and exit.

  2. Run the playbook with the changes applied:

    vim setup-server.yml
    ansible-playbook setup-server.yml
  3. Verify that we are unable to access the test pages on node1 and node2 with the following commands:

    elinks http://node1
    elinks http://node2

    Note: We will be unable to access the test pages because the firewall will be blocking them.

Test that you can access the test pages on the web servers on the 2 Ansible nodes.
  1. Run the playbook:

    vim setup-server.yml
    ansible-playbook setup-server.yml
  2. Using the elinks command again:

    elinks http://node1
    elinks http://node2

Additional Resources

In this Hands-On Lab, it has been noted that the security on the servers needs to be updated. Because of this, you have been tasked with adding a firewall to the organisations servers. Since the servers are Centos 7 you have been asked to use firewalld.

You have also been asked to check to see what happens when a firewall is in place but a specific firewall rule is not.

Our task is to create a playbook called setup-server.yml that installs elinks and Apache (HTTPD). Use this playbook to start the httpd service and enable it to work after a server reboot. Use the elinks or another method to verify that Apache works, and that we can access the default web page. Install firewalld with the same playbook, and start it. Test the access to Apache on the nodes again. It is not expected to work, as firewalld should be blocking port 80.

Do what is required within the playbook so that traffic is allowed through on port 80.

To summarize, using an Ansible playbook we must do the following:

  1. Ensure that firewalld is not installed on the nodes.
  2. Install Apache Web Server, httpd, and elinks on the nodes.
  3. Perform a test to see if the Apache Web Server is working and that the default web page is accessible.
  4. Install firewalld on the nodes.
  5. Perform a test to verify that the Apache Web Server is no longer accessible.
  6. Use an Ansible recipe to add a firewall rule to the nodes that will allow traffic on port 80 from external connections.
  7. Perform a test to verify that the Apache Web Server is accessible on the nodes.

Here are some important things to take into consideration while completing each task:

  • For convenience, Ansible is already on the control node. If we connect to the server by clicking on the Public IP address in a browser, we need to make sure we change to the ansible user with the su - ansible command.
  • The user ansible is present on all servers, with appropriate shared keys for access to managed servers from the control node. Make sure to use the ansible user to complete the commands.
  • The ansible user has the same password as cloud_user.
  • The default Ansible inventory has been configured for with the appropriate hosts and groups.
  • /etc/hosts entries are present on control1 for the managed servers.

For detailed instructions on how to complete these tasks, expand each learning objective below, or click the Guide tab above the video player.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?