community / community.general / 2.5.9 / module / iptables_state Save iptables state into a file or restore it from a file | "added in version" 1.1.0 of community.general" Authors: quidame (@quidame) This plugin has a corresponding action plugin.community.general.iptables_state (2.5.9) — module
Install with ansible-galaxy collection install community.general:==2.5.9
collections: - name: community.general version: 2.5.9
C(iptables) is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.
This module handles the saving and/or loading of rules. This is the same as the behaviour of the C(iptables-save) and C(iptables-restore) (or C(ip6tables-save) and C(ip6tables-restore) for IPv6) commands which this module uses internally.
Modifying the state of the firewall remotely may lead to loose access to the host in case of mistake in new ruleset. This module embeds a rollback feature to avoid this, by telling the host to restore previous rules if a cookie is still there after a given delay, and all this time telling the controller to try to remove this cookie on the host through a new connection.
# This will apply to all loaded/active IPv4 tables. - name: Save current state of the firewall in system file community.general.iptables_state: state: saved path: /etc/sysconfig/iptables
# This will apply only to IPv6 filter table. - name: save current state of the firewall in system file community.general.iptables_state: ip_version: ipv6 table: filter state: saved path: /etc/iptables/rules.v6
# This will load a state from a file, with a rollback in case of access loss - name: restore firewall state from a file community.general.iptables_state: state: restored path: /run/iptables.apply async: "{{ ansible_timeout }}" poll: 0
# This will load new rules by appending them to the current ones - name: restore firewall state from a file community.general.iptables_state: state: restored path: /run/iptables.apply noflush: true async: "{{ ansible_timeout }}" poll: 0
# This will only retrieve information - name: get current state of the firewall community.general.iptables_state: state: saved path: /tmp/iptables check_mode: yes changed_when: false register: iptables_state
- name: show current state of the firewall ansible.builtin.debug: var: iptables_state.initial_state
path: description: - The file the iptables state should be saved to. - The file the iptables state should be restored from. required: true type: path wait: description: - Wait N seconds for the xtables lock to prevent instant failure in case multiple instances of the program are running concurrently. type: int state: choices: - saved - restored description: - Whether the firewall state should be saved (into a file) or restored (from a file). required: true type: str table: choices: - filter - nat - mangle - raw - security description: - When I(state=restored), restore only the named table even if the input file contains other tables. Fail if the named table is not declared in the file. - When I(state=saved), restrict output to the specified table. If not specified, output includes all active tables. type: str noflush: default: false description: - For I(state=restored), ignored otherwise. - If C(false), restoring iptables rules from a file flushes (deletes) all previous contents of the respective table(s). If C(true), the previous rules are left untouched (but policies are updated anyway, for all built-in chains). type: bool counters: default: false description: - Save or restore the values of all packet and byte counters. - When C(true), the module is not idempotent. type: bool modprobe: description: - Specify the path to the C(modprobe) program internally used by iptables related commands to load kernel modules. - By default, C(/proc/sys/kernel/modprobe) is inspected to determine the executable's path. type: path ip_version: choices: - ipv4 - ipv6 default: ipv4 description: - Which version of the IP protocol this module should apply to. type: str
applied: description: Whether or not the wanted state has been successfully restored. returned: always sample: true type: bool initial_state: description: The current state of the firewall when module starts. elements: str returned: always sample: - '# Generated by xtables-save v1.8.2' - '*filter' - :INPUT ACCEPT [0:0] - :FORWARD ACCEPT [0:0] - :OUTPUT ACCEPT [0:0] - COMMIT - '# Completed' type: list restored: description: The state the module restored, whenever it is finally applied or not. elements: str returned: always sample: - '# Generated by xtables-save v1.8.2' - '*filter' - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT ACCEPT [0:0] - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -A INPUT -m conntrack --ctstate INVALID -j DROP - -A INPUT -i lo -j ACCEPT - -A INPUT -p icmp -j ACCEPT - -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT - COMMIT - '# Completed' type: list saved: description: The iptables state the module saved. elements: str returned: always sample: - '# Generated by xtables-save v1.8.2' - '*filter' - :INPUT ACCEPT [0:0] - :FORWARD DROP [0:0] - :OUTPUT ACCEPT [0:0] - COMMIT - '# Completed' type: list tables: contains: table: description: Policies and rules for all chains of the named table. elements: str type: list description: The iptables we have interest for when module starts. returned: always sample: "{\n \"filter\": [\n \":INPUT ACCEPT\",\n \":FORWARD ACCEPT\",\n\ \ \":OUTPUT ACCEPT\",\n \"-A INPUT -i lo -j ACCEPT\",\n \"-A INPUT -p\ \ icmp -j ACCEPT\",\n \"-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT\",\n \ \ \"-A INPUT -j REJECT --reject-with icmp-host-prohibited\"\n ],\n \"nat\"\ : [\n \":PREROUTING ACCEPT\",\n \":INPUT ACCEPT\",\n \":OUTPUT ACCEPT\"\ ,\n \":POSTROUTING ACCEPT\"\n ]\n}" type: dict