---
- name: Ensure iptables is present
  apt:
    name: 'iptables'
    update_cache: true
    state: present
  when: ansible_facts.os_family == "Debian"
- name: Ensure iptables is present
  yum:
    name: 'iptables'
    update_cache: true
    state: present
  when: ansible_facts.os_family == "RedHat"

- name: Save current iptable config if exist
  copy:
    dest: "{{ iptables_config_file }}.fallback"
    src: "{{ iptables_config_file }}"
    remote_src: yes
  failed_when: false

- name: Apply rules
  iptables:
    ip_version: "{{ item.ip_version | default('ipv4', true) }}"
    action: "{{ item.action | default(omit, true) }}"
    rule_num: "{{ item.rule_num | default(omit, true) }}"
    chain: "{{ item.chain | default('INPUT', true) }}"
    flush: "{{ item.flush | default(omit, true) }}"
    policy: "{{ item.policy | default(omit, true) }}"
    table: "{{ item.table | default('filter', true) }}"
    source: "{{ item.source | default(omit, true) }}"
    destination: "{{ item.destination | default(omit, true) }}"
    src_range: "{{ item.src_range | default(omit, true) }}"
    dst_range: "{{ item.dst_range | default(omit, true) }}"
    source_port: "{{ item.source_port | default(omit, true) }}"
    destination_port: "{{ item.destination_port | default(omit, true) }}"
    protocol: "{{ item.protocol | default(omit, true) }}"
    icmp_type: "{{ item.icmp_type | default(omit, true) }}"
    in_interface: "{{ item.in_interface | default(omit, true) }}"
    out_interface: "{{ item.out_interface | default(omit, true) }}"
    goto: "{{ item.goto | default(omit, true) }}"
    jump: "{{ item.jump | default(omit, true) }}"
    cstate: "{{ item.cstate | default(omit, true) }}"
    fragment: "{{ item.fragment | default(omit, true) }}"
    gateway: "{{ item.gateway | default(omit, true) }}"
    gid_owner: "{{ item.gid_owner | default(omit, true) }}"
    uid_owner: "{{ item.uid_owner | default(omit, true) }}"
    limit: "{{ item.limit | default(omit, true) }}"
    limit_burst: "{{ item.limit_burst | default(omit, true) }}"
    log_level: "{{ item.log_level | default(omit, true) }}"
    log_prefix: "{{ item.log_prefix | default(omit, true) }}"
    match: "{{ item.match | default(omit, true) }}"
    reject_with: "{{ item.reject_with | default(omit, true) }}"
    set_counters: "{{ item.set_counters | default(omit, true) }}"
    set_dscp_mark: "{{ item.set_dscp_mark | default(omit, true) }}"
    set_dscp_mark_class: "{{ item.set_dscp_mark_class | default(omit, true) }}"
    syn: "{{ item.syn | default('ignore', true) }}"
    tcp_flags: "{{ item.tcp_flags | default(omit, true) }}"
    to_source: "{{ item.to_source | default(omit, true) }}"
    to_destination: "{{ item.to_destination | default(omit, true) }}"
    to_ports: "{{ item.to_ports | default(omit, true) }}"
    state: "{{ item.state | default('present', true) }}"
  with_items: "{{ iptables_rules }}"


- name: Ensure iptables service is running
  service:
    name: iptables
    state: started
    enabled: yes

- name: Save current iptables rules
  shell: "iptables-save > {{ iptables_config_file }} >> {{ iptables_config_file }}"

- name: Reload saved iptables rules
  service:
    name: iptables
    state: reloaded
...