Note
This plugin is part of the community.general collection (version 2.0.1).
To install it use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.iptables_state.
New in version 1.1.0: of community.general
iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.iptables-save and iptables-restore (or ip6tables-save and ip6tables-restore for IPv6) commands which this module uses internally.Note
This module has a corresponding action plugin.
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| counters boolean |
| Save or restore the values of all packet and byte counters. When true, the module is not idempotent. |
| ip_version string |
| Which version of the IP protocol this module should apply to. |
| modprobe path | Specify the path to the modprobe program internally used by iptables related commands to load kernel modules.By default, /proc/sys/kernel/modprobe is inspected to determine the executable's path. | |
| noflush boolean |
| For state=restored, ignored otherwise. If false, restoring iptables rules from a file flushes (deletes) all previous contents of the respective table(s). If true, the previous rules are left untouched (but policies are updated anyway, for all built-in chains). |
| path path / required | The file the iptables state should be saved to. The file the iptables state should be restored from. | |
| state string / required |
| Whether the firewall state should be saved (into a file) or restored (from a file). |
| table string |
| When state=restored, restore only the named table even if the input file contains other tables. Fail if the named table is not declared in the file. When state=saved, restrict output to the specified table. If not specified, output includes all active tables. |
| wait integer | Wait N seconds for the xtables lock to prevent instant failure in case multiple instances of the program are running concurrently. |
Note
0, and async to a value less or equal to ANSIBLE_TIMEOUT. If async is greater, the rollback will still happen if it shall happen, but you will experience a connection timeout instead of more relevant info returned by the module after its failure.# This will apply to all loaded/active IPv4 tables.
- name: Save current state of the firewall in system file
community.general.iptables_state:
state: saved
path: /etc/sysconfig/iptables
# This will apply only to IPv6 filter table.
- name: save current state of the firewall in system file
community.general.iptables_state:
ip_version: ipv6
table: filter
state: saved
path: /etc/iptables/rules.v6
# This will load a state from a file, with a rollback in case of access loss
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /run/iptables.apply
async: "{{ ansible_timeout }}"
poll: 0
# This will load new rules by appending them to the current ones
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /run/iptables.apply
noflush: true
async: "{{ ansible_timeout }}"
poll: 0
# This will only retrieve information
- name: get current state of the firewall
community.general.iptables_state:
state: saved
path: /tmp/iptables
check_mode: yes
changed_when: false
register: iptables_state
- name: show current state of the firewall
ansible.builtin.debug:
var: iptables_state.initial_state
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
| applied boolean | always | Whether or not the wanted state has been successfully restored. Sample: True | |
| initial_state list / elements=string | always | The current state of the firewall when module starts. Sample: ['# Generated by xtables-save v1.8.2', '*filter', ':INPUT ACCEPT [0:0]', ':FORWARD ACCEPT [0:0]', ':OUTPUT ACCEPT [0:0]', 'COMMIT', '# Completed'] | |
| restored list / elements=string | always | The state the module restored, whenever it is finally applied or not. Sample: ['# Generated by xtables-save v1.8.2', '*filter', ':INPUT DROP [0:0]', ':FORWARD DROP [0:0]', ':OUTPUT ACCEPT [0:0]', '-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT', '-A INPUT -m conntrack --ctstate INVALID -j DROP', '-A INPUT -i lo -j ACCEPT', '-A INPUT -p icmp -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT', 'COMMIT', '# Completed'] | |
| saved list / elements=string | always | The iptables state the module saved. Sample: ['# Generated by xtables-save v1.8.2', '*filter', ':INPUT ACCEPT [0:0]', ':FORWARD DROP [0:0]', ':OUTPUT ACCEPT [0:0]', 'COMMIT', '# Completed'] | |
| tables dictionary | always | The iptables we have interest for when module starts. Sample: { "filter": [ ":INPUT ACCEPT", ":FORWARD ACCEPT", ":OUTPUT ACCEPT", "-A INPUT -i lo -j ACCEPT", "-A INPUT -p icmp -j ACCEPT", "-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT", "-A INPUT -j REJECT --reject-with icmp-host-prohibited" ], "nat": [ ":PREROUTING ACCEPT", ":INPUT ACCEPT", ":OUTPUT ACCEPT", ":POSTROUTING ACCEPT" ] } | |
| table list / elements=string | success | Policies and rules for all chains of the named table. | |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/community/general/iptables_state_module.html