New in version 2.4.
parameter | required | default | choices | comments |
---|---|---|---|---|
backup |
no | no |
|
Create a backup of the iptables state file before overwriting it. |
ipversion |
no | 4 |
|
Target the IP version this rule is for. |
keep_unmanaged |
no | yes |
|
If set to yes keeps active iptables (unmanaged) rules for the target table and gives them weight=90 . This means these rules will be ordered after most of the rules, since default priority is 40, so they shouldn't be able to block any allow rules. If set to no deletes all rules which are not set by this module.WARNING: Be very careful when running keep_unmanaged=no for the first time, since if you don't specify correct rules, you can block yourself out of the managed host. |
name |
yes | Name that will be used as an identifier for these rules. It can contain alphanumeric characters, underscore, hyphen, or a space; has to be UNIQUE for a specified table . You can also pass name=* with state=absent to flush all rules in the selected table, or even all tables with table=* . | ||
rules |
no | The rules that we want to add. Accepts multiline values. Note: You can only use -A /--append , -N /--new-chain , and -P /--policy to specify rules. | ||
state |
no | present |
|
The state this rules fragment should be in. |
table |
no | filter |
|
The table this rule applies to. You can specify table=* only with with name=* and state=absent to flush all rules in all tables. |
weight |
no | 40 |
|
Determines the order of the rules. Lower weight means higher priority. Supported range is 0 - 99 |
# Allow all IPv4 traffic coming in on port 80 (http) - iptables_raw: name: allow_tcp_80 rules: '-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT' # Set default rules with weight 10 and disregard all unmanaged rules - iptables_raw: name: default_rules weight: 10 keep_unmanaged: no rules: | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT # Allow all IPv6 traffic coming in on port 443 (https) with weight 50 - iptables_raw: ipversion: 6 weight: 50 name: allow_tcp_443 rules: '-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT' # Remove the above rule - iptables_raw: state: absent ipversion: 6 name: allow_tcp_443 # Define rules with a custom chain - iptables_raw: name: custom1_rules rules: | -N CUSTOM1 -A CUSTOM1 -s 192.168.0.0/24 -j ACCEPT # Reset all IPv4 iptables rules in all tables and allow all traffic - iptables_raw: name: '*' table: '*' state: absent
Common return values are documented here Return Values, the following are the fields unique to this module:
name | description | returned | type | sample |
---|---|---|---|---|
ipversion | IP version of iptables used | success | int | 6 |
name | name of the rules | success | string | open_tcp_80 |
weight | weight of the rules | success | int | 40 |
rules | passed rules | success | string | -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT |
keep_unmanaged | if it should keep unmanaged rules | success | boolean | True |
state | state of the rules | success | string | present |
table | iptables table used | success | string | filter |
backup | if the iptables file should backed up | success | boolean | False |
Note
Requires iptables
package. Debian-based distributions additionally require iptables-persistent
.
Note
Depending on the distribution, iptables rules are saved in different locations, so that they can be loaded on boot. Red Hat distributions (RHEL, CentOS, etc): /etc/sysconfig/iptables
and /etc/sysconfig/ip6tables
; Debian distributions (Debian, Ubuntu, etc): /etc/iptables/rules.v4
and /etc/iptables/rules.v6
; other distributions: /etc/sysconfig/iptables
and /etc/sysconfig/ip6tables
.
Note
This module saves state in /etc/ansible-iptables
directory, so don’t modify this directory!