community.general.iptables_state – Save iptables state into a file or restore it from a file
Note
This plugin is part of the community.general collection (version 3.8.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.iptables_state
.
New in version 1.1.0: of community.general
Synopsis
iptables
is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.This module handles the saving and/or loading of rules. This is the same as the behaviour of the
iptables-save
andiptables-restore
(orip6tables-save
andip6tables-restore
for IPv6) commands which this module uses internally.Modifying the state of the firewall remotely may lead to loose access to the host in case of mistake in new ruleset. This module embeds a rollback feature to avoid this, by telling the host to restore previous rules if a cookie is still there after a given delay, and all this time telling the controller to try to remove this cookie on the host through a new connection.
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
iptables
ip6tables
Parameters
Parameter |
Comments |
---|---|
Save or restore the values of all packet and byte counters. When Choices:
|
|
Which version of the IP protocol this module should apply to. Choices:
|
|
Specify the path to the By default, |
|
For state=restored, ignored otherwise. If Choices:
|
|
The file the iptables state should be saved to. The file the iptables state should be restored from. |
|
Whether the firewall state should be saved (into a file) or restored (from a file). Choices:
|
|
When state=restored, restore only the named table even if the input file contains other tables. Fail if the named table is not declared in the file. When state=saved, restrict output to the specified table. If not specified, output includes all active tables. Choices:
|
|
Wait N seconds for the xtables lock to prevent instant failure in case multiple instances of the program are running concurrently. |
Notes
Note
The rollback feature is not a module option and depends on task’s attributes. To enable it, the module must be played asynchronously, i.e. by setting task attributes poll to
0
, and async to a value less or equal toANSIBLE_TIMEOUT
. If async is greater, the rollback will still happen if it shall happen, but you will experience a connection timeout instead of more relevant info returned by the module after its failure.This module supports check_mode.
Examples
# This will apply to all loaded/active IPv4 tables.
- name: Save current state of the firewall in system file
community.general.iptables_state:
state: saved
path: /etc/sysconfig/iptables
# This will apply only to IPv6 filter table.
- name: save current state of the firewall in system file
community.general.iptables_state:
ip_version: ipv6
table: filter
state: saved
path: /etc/iptables/rules.v6
# This will load a state from a file, with a rollback in case of access loss
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /run/iptables.apply
async: "{{ ansible_timeout }}"
poll: 0
# This will load new rules by appending them to the current ones
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /run/iptables.apply
noflush: true
async: "{{ ansible_timeout }}"
poll: 0
# This will only retrieve information
- name: get current state of the firewall
community.general.iptables_state:
state: saved
path: /tmp/iptables
check_mode: yes
changed_when: false
register: iptables_state
- name: show current state of the firewall
ansible.builtin.debug:
var: iptables_state.initial_state
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Whether or not the wanted state has been successfully restored. Returned: always Sample: true |
|
The current state of the firewall when module starts. Returned: always Sample: [“# Generated by xtables-save v1.8.2”, “*filter”, “:INPUT ACCEPT [0:0]”, “:FORWARD ACCEPT [0:0]”, “:OUTPUT ACCEPT [0:0]”, “COMMIT”, “# Completed”] |
|
The state the module restored, whenever it is finally applied or not. Returned: always Sample: [“# Generated by xtables-save v1.8.2”, “*filter”, “:INPUT DROP [0:0]”, “:FORWARD DROP [0:0]”, “:OUTPUT ACCEPT [0:0]”, “-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT”, “-A INPUT -m conntrack –ctstate INVALID -j DROP”, “-A INPUT -i lo -j ACCEPT”, “-A INPUT -p icmp -j ACCEPT”, “-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT”, “COMMIT”, “# Completed”] |
|
The iptables state the module saved. Returned: always Sample: [“# Generated by xtables-save v1.8.2”, “*filter”, “:INPUT ACCEPT [0:0]”, “:FORWARD DROP [0:0]”, “:OUTPUT ACCEPT [0:0]”, “COMMIT”, “# Completed”] |
|
The iptables we have interest for when module starts. Returned: always Sample: “{\n \”filter\”: [\n \”:INPUT ACCEPT\”,\n \”:FORWARD ACCEPT\”,\n \”:OUTPUT ACCEPT\”,\n \”-A INPUT -i lo -j ACCEPT\”,\n \”-A INPUT -p icmp -j ACCEPT\”,\n \”-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT\”,\n \”-A INPUT -j REJECT –reject-with icmp-host-prohibited\”\n ],\n \”nat\”: [\n \”:PREROUTING ACCEPT\”,\n \”:INPUT ACCEPT\”,\n \”:OUTPUT ACCEPT\”,\n \”:POSTROUTING ACCEPT\”\n ]\n}” |
|
Policies and rules for all chains of the named table. Returned: success |
Authors
quidame (@quidame)