iptables_raw - Manage iptables rules

New in version 2.4.

Synopsis

  • Add/remove iptables rules while keeping state.

Options

parameter required default choices comments
backup
no no
  • yes
  • no
Create a backup of the iptables state file before overwriting it.
ipversion
no 4
  • 4
  • 6
Target the IP version this rule is for.
keep_unmanaged
no yes
  • yes
  • no
If set to yes keeps active iptables (unmanaged) rules for the target table and gives them weight=90. This means these rules will be ordered after most of the rules, since default priority is 40, so they shouldn't be able to block any allow rules. If set to no deletes all rules which are not set by this module.
WARNING: Be very careful when running keep_unmanaged=no for the first time, since if you don't specify correct rules, you can block yourself out of the managed host.
name
yes
    Name that will be used as an identifier for these rules. It can contain alphanumeric characters, underscore, hyphen, or a space; has to be UNIQUE for a specified table. You can also pass name=* with state=absent to flush all rules in the selected table, or even all tables with table=*.
    rules
    no
      The rules that we want to add. Accepts multiline values.
      Note: You can only use -A/--append, -N/--new-chain, and -P/--policy to specify rules.
      state
      no present
      • present
      • absent
      The state this rules fragment should be in.
      table
      no filter
      • filter
      • nat
      • mangle
      • raw
      • security
      • *
      The table this rule applies to. You can specify table=* only with with name=* and state=absent to flush all rules in all tables.
      weight
      no 40
      • 0 - 99
      Determines the order of the rules. Lower weight means higher priority. Supported range is 0 - 99

      Examples

      # Allow all IPv4 traffic coming in on port 80 (http)
      - iptables_raw:
          name: allow_tcp_80
          rules: '-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT'
      
      # Set default rules with weight 10 and disregard all unmanaged rules
      - iptables_raw:
          name: default_rules
          weight: 10
          keep_unmanaged: no
          rules: |
            -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
            -A INPUT -i lo -j ACCEPT
            -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
            -P INPUT DROP
            -P FORWARD DROP
            -P OUTPUT ACCEPT
      
      # Allow all IPv6 traffic coming in on port 443 (https) with weight 50
      - iptables_raw:
          ipversion: 6
          weight: 50
          name: allow_tcp_443
          rules: '-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT'
      
      # Remove the above rule
      - iptables_raw:
          state: absent
          ipversion: 6
          name: allow_tcp_443
      
      # Define rules with a custom chain
      - iptables_raw:
          name: custom1_rules
          rules: |
            -N CUSTOM1
            -A CUSTOM1 -s 192.168.0.0/24 -j ACCEPT
      
      # Reset all IPv4 iptables rules in all tables and allow all traffic
      - iptables_raw:
          name: '*'
          table: '*'
          state: absent
      

      Return Values

      Common return values are documented here Return Values, the following are the fields unique to this module:

      name description returned type sample
      ipversion IP version of iptables used success int 6
      name name of the rules success string open_tcp_80
      weight weight of the rules success int 40
      rules passed rules success string -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      keep_unmanaged if it should keep unmanaged rules success boolean True
      state state of the rules success string present
      table iptables table used success string filter
      backup if the iptables file should backed up success boolean False


      Notes

      Note

      Requires iptables package. Debian-based distributions additionally require iptables-persistent.

      Note

      Depending on the distribution, iptables rules are saved in different locations, so that they can be loaded on boot. Red Hat distributions (RHEL, CentOS, etc): /etc/sysconfig/iptables and /etc/sysconfig/ip6tables; Debian distributions (Debian, Ubuntu, etc): /etc/iptables/rules.v4 and /etc/iptables/rules.v6; other distributions: /etc/sysconfig/iptables and /etc/sysconfig/ip6tables.

      Note

      This module saves state in /etc/ansible-iptables directory, so don’t modify this directory!