Try SpotterSave iptables state into a file or restore it from a file
| "added in version" 1.1.0 of community.general"
Authors: quidame (@quidame)
This plugin has a corresponding action plugin.
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0C(iptables) is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.
This module handles the saving and/or loading of rules. This is the same as the behaviour of the C(iptables-save) and C(iptables-restore) (or C(ip6tables-save) and C(ip6tables-restore) for IPv6) commands which this module uses internally.
Modifying the state of the firewall remotely may lead to loose access to the host in case of mistake in new ruleset. This module embeds a rollback feature to avoid this, by telling the host to restore previous rules if a cookie is still there after a given delay, and all this time telling the controller to try to remove this cookie on the host through a new connection.
# This will apply to all loaded/active IPv4 tables.
- name: Save current state of the firewall in system file
community.general.iptables_state:
state: saved
path: /etc/sysconfig/iptables
# This will apply only to IPv6 filter table.
- name: save current state of the firewall in system file
community.general.iptables_state:
ip_version: ipv6
table: filter
state: saved
path: /etc/iptables/rules.v6
# This will load a state from a file, with a rollback in case of access loss
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /run/iptables.apply
async: "{{ ansible_timeout }}"
poll: 0
# This will load new rules by appending them to the current ones
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /run/iptables.apply
noflush: true
async: "{{ ansible_timeout }}"
poll: 0
# This will only retrieve information
- name: get current state of the firewall
community.general.iptables_state:
state: saved
path: /tmp/iptables
check_mode: true
changed_when: false
register: iptables_state
- name: show current state of the firewall
ansible.builtin.debug:
var: iptables_state.initial_state
path:
description:
- The file the iptables state should be saved to.
- The file the iptables state should be restored from.
required: true
type: path
wait:
description:
- Wait N seconds for the xtables lock to prevent instant failure in case multiple
instances of the program are running concurrently.
type: int
state:
choices:
- saved
- restored
description:
- Whether the firewall state should be saved (into a file) or restored (from a file).
required: true
type: str
table:
choices:
- filter
- nat
- mangle
- raw
- security
description:
- When O(state=restored), restore only the named table even if the input file contains
other tables. Fail if the named table is not declared in the file.
- When O(state=saved), restrict output to the specified table. If not specified, output
includes all active tables.
type: str
noflush:
default: false
description:
- For O(state=restored), ignored otherwise.
- If V(false), restoring iptables rules from a file flushes (deletes) all previous
contents of the respective table(s). If V(true), the previous rules are left untouched
(but policies are updated anyway, for all built-in chains).
type: bool
counters:
default: false
description:
- Save or restore the values of all packet and byte counters.
- When V(true), the module is not idempotent.
type: bool
modprobe:
description:
- Specify the path to the C(modprobe) program internally used by iptables related
commands to load kernel modules.
- By default, V(/proc/sys/kernel/modprobe) is inspected to determine the executable's
path.
type: path
ip_version:
choices:
- ipv4
- ipv6
default: ipv4
description:
- Which version of the IP protocol this module should apply to.
type: str
applied:
description: Whether or not the wanted state has been successfully restored.
returned: always
sample: true
type: bool
initial_state:
description: The current state of the firewall when module starts.
elements: str
returned: always
sample:
- '# Generated by xtables-save v1.8.2'
- '*filter'
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- COMMIT
- '# Completed'
type: list
restored:
description: The state the module restored, whenever it is finally applied or not.
elements: str
returned: always
sample:
- '# Generated by xtables-save v1.8.2'
- '*filter'
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -m conntrack --ctstate INVALID -j DROP
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- COMMIT
- '# Completed'
type: list
saved:
description: The iptables state the module saved.
elements: str
returned: always
sample:
- '# Generated by xtables-save v1.8.2'
- '*filter'
- :INPUT ACCEPT [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- COMMIT
- '# Completed'
type: list
tables:
contains:
table:
description: Policies and rules for all chains of the named table.
elements: str
type: list
description:
- The iptables on the system before the module has run, separated by table.
- If the option O(table) is used, only this table is included.
returned: always
sample: "{\n \"filter\": [\n \":INPUT ACCEPT\",\n \":FORWARD ACCEPT\",\n\
\ \":OUTPUT ACCEPT\",\n \"-A INPUT -i lo -j ACCEPT\",\n \"-A INPUT -p\
\ icmp -j ACCEPT\",\n \"-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT\",\n \
\ \"-A INPUT -j REJECT --reject-with icmp-host-prohibited\"\n ],\n \"nat\"\
: [\n \":PREROUTING ACCEPT\",\n \":INPUT ACCEPT\",\n \":OUTPUT ACCEPT\"\
,\n \":POSTROUTING ACCEPT\"\n ]\n}"
type: dict