iptables_raw - Manage iptables rules

New in version 2.4.


  • Add/remove iptables rules while keeping state.


parameter required default choices comments
no no
  • yes
  • no
Create a backup of the iptables state file before overwriting it.
no 4
  • 4
  • 6
Target the IP version this rule is for.
no yes
  • yes
  • no
If set to yes keeps active iptables (unmanaged) rules for the target table and gives them weight=90. This means these rules will be ordered after most of the rules, since default priority is 40, so they shouldn't be able to block any allow rules. If set to no deletes all rules which are not set by this module.
WARNING: Be very careful when running keep_unmanaged=no for the first time, since if you don't specify correct rules, you can block yourself out of the managed host.
    Name that will be used as an identifier for these rules. It can contain alphanumeric characters, underscore, hyphen, or a space; has to be UNIQUE for a specified table. You can also pass name=* with state=absent to flush all rules in the selected table, or even all tables with table=*.
      The rules that we want to add. Accepts multiline values.
      Note: You can only use -A/--append, -N/--new-chain, and -P/--policy to specify rules.
      no present
      • present
      • absent
      The state this rules fragment should be in.
      no filter
      • filter
      • nat
      • mangle
      • raw
      • security
      • *
      The table this rule applies to. You can specify table=* only with with name=* and state=absent to flush all rules in all tables.
      no 40
      • 0 - 99
      Determines the order of the rules. Lower weight means higher priority. Supported range is 0 - 99


      # Allow all IPv4 traffic coming in on port 80 (http)
      - iptables_raw:
          name: allow_tcp_80
          rules: '-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT'
      # Set default rules with weight 10 and disregard all unmanaged rules
      - iptables_raw:
          name: default_rules
          weight: 10
          keep_unmanaged: no
          rules: |
            -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
            -A INPUT -i lo -j ACCEPT
            -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
            -P INPUT DROP
            -P FORWARD DROP
            -P OUTPUT ACCEPT
      # Allow all IPv6 traffic coming in on port 443 (https) with weight 50
      - iptables_raw:
          ipversion: 6
          weight: 50
          name: allow_tcp_443
          rules: '-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT'
      # Remove the above rule
      - iptables_raw:
          state: absent
          ipversion: 6
          name: allow_tcp_443
      # Define rules with a custom chain
      - iptables_raw:
          name: custom1_rules
          rules: |
            -N CUSTOM1
            -A CUSTOM1 -s -j ACCEPT
      # Reset all IPv4 iptables rules in all tables and allow all traffic
      - iptables_raw:
          name: '*'
          table: '*'
          state: absent

      Return Values

      Common return values are documented here Return Values, the following are the fields unique to this module:

      name description returned type sample
      ipversion IP version of iptables used success int 6
      name name of the rules success string open_tcp_80
      weight weight of the rules success int 40
      rules passed rules success string -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      keep_unmanaged if it should keep unmanaged rules success boolean True
      state state of the rules success string present
      table iptables table used success string filter
      backup if the iptables file should backed up success boolean False



      Requires iptables package. Debian-based distributions additionally require iptables-persistent.


      Depending on the distribution, iptables rules are saved in different locations, so that they can be loaded on boot. Red Hat distributions (RHEL, CentOS, etc): /etc/sysconfig/iptables and /etc/sysconfig/ip6tables; Debian distributions (Debian, Ubuntu, etc): /etc/iptables/rules.v4 and /etc/iptables/rules.v6; other distributions: /etc/sysconfig/iptables and /etc/sysconfig/ip6tables.


      This module saves state in /etc/ansible-iptables directory, so don’t modify this directory!