community.general.iptables_state – Save iptables state into a file or restore it from a file
Note
This plugin is part of the community.general collection (version 3.8.1).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.iptables_state
.
New in version 1.1.0: of community.general
Synopsis
-
iptables
is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. - This module handles the saving and/or loading of rules. This is the same as the behaviour of the
iptables-save
andiptables-restore
(orip6tables-save
andip6tables-restore
for IPv6) commands which this module uses internally. - Modifying the state of the firewall remotely may lead to loose access to the host in case of mistake in new ruleset. This module embeds a rollback feature to avoid this, by telling the host to restore previous rules if a cookie is still there after a given delay, and all this time telling the controller to try to remove this cookie on the host through a new connection.
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
- iptables
- ip6tables
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
counters boolean |
| Save or restore the values of all packet and byte counters. When true , the module is not idempotent. |
ip_version string |
| Which version of the IP protocol this module should apply to. |
modprobe path | Specify the path to the modprobe program internally used by iptables related commands to load kernel modules.By default, /proc/sys/kernel/modprobe is inspected to determine the executable's path. | |
noflush boolean |
| For state=restored, ignored otherwise. If false , restoring iptables rules from a file flushes (deletes) all previous contents of the respective table(s). If true , the previous rules are left untouched (but policies are updated anyway, for all built-in chains). |
path path / required | The file the iptables state should be saved to. The file the iptables state should be restored from. | |
state string / required |
| Whether the firewall state should be saved (into a file) or restored (from a file). |
table string |
| When state=restored, restore only the named table even if the input file contains other tables. Fail if the named table is not declared in the file. When state=saved, restrict output to the specified table. If not specified, output includes all active tables. |
wait integer | Wait N seconds for the xtables lock to prevent instant failure in case multiple instances of the program are running concurrently. |
Notes
Note
- The rollback feature is not a module option and depends on task’s attributes. To enable it, the module must be played asynchronously, i.e. by setting task attributes poll to
0
, and async to a value less or equal toANSIBLE_TIMEOUT
. If async is greater, the rollback will still happen if it shall happen, but you will experience a connection timeout instead of more relevant info returned by the module after its failure. - This module supports check_mode.
Examples
# This will apply to all loaded/active IPv4 tables. - name: Save current state of the firewall in system file community.general.iptables_state: state: saved path: /etc/sysconfig/iptables # This will apply only to IPv6 filter table. - name: save current state of the firewall in system file community.general.iptables_state: ip_version: ipv6 table: filter state: saved path: /etc/iptables/rules.v6 # This will load a state from a file, with a rollback in case of access loss - name: restore firewall state from a file community.general.iptables_state: state: restored path: /run/iptables.apply async: "{{ ansible_timeout }}" poll: 0 # This will load new rules by appending them to the current ones - name: restore firewall state from a file community.general.iptables_state: state: restored path: /run/iptables.apply noflush: true async: "{{ ansible_timeout }}" poll: 0 # This will only retrieve information - name: get current state of the firewall community.general.iptables_state: state: saved path: /tmp/iptables check_mode: yes changed_when: false register: iptables_state - name: show current state of the firewall ansible.builtin.debug: var: iptables_state.initial_state
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
applied boolean | always | Whether or not the wanted state has been successfully restored. Sample: True | |
initial_state list / elements=string | always | The current state of the firewall when module starts. Sample: ['# Generated by xtables-save v1.8.2', '*filter', ':INPUT ACCEPT [0:0]', ':FORWARD ACCEPT [0:0]', ':OUTPUT ACCEPT [0:0]', 'COMMIT', '# Completed'] | |
restored list / elements=string | always | The state the module restored, whenever it is finally applied or not. Sample: ['# Generated by xtables-save v1.8.2', '*filter', ':INPUT DROP [0:0]', ':FORWARD DROP [0:0]', ':OUTPUT ACCEPT [0:0]', '-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT', '-A INPUT -m conntrack --ctstate INVALID -j DROP', '-A INPUT -i lo -j ACCEPT', '-A INPUT -p icmp -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT', 'COMMIT', '# Completed'] | |
saved list / elements=string | always | The iptables state the module saved. Sample: ['# Generated by xtables-save v1.8.2', '*filter', ':INPUT ACCEPT [0:0]', ':FORWARD DROP [0:0]', ':OUTPUT ACCEPT [0:0]', 'COMMIT', '# Completed'] | |
tables dictionary | always | The iptables we have interest for when module starts. Sample: { "filter": [ ":INPUT ACCEPT", ":FORWARD ACCEPT", ":OUTPUT ACCEPT", "-A INPUT -i lo -j ACCEPT", "-A INPUT -p icmp -j ACCEPT", "-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT", "-A INPUT -j REJECT --reject-with icmp-host-prohibited" ], "nat": [ ":PREROUTING ACCEPT", ":INPUT ACCEPT", ":OUTPUT ACCEPT", ":POSTROUTING ACCEPT" ] } | |
table list / elements=string | success | Policies and rules for all chains of the named table. |
Authors
- quidame (@quidame)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/iptables_state_module.html