|
- ---
- - name: Ensure iptables is present
- apt:
- name: 'iptables'
- update_cache: true
- state: present
- when: ansible_facts.os_family == "Debian"
- - name: Ensure iptables is present
- yum:
- name: 'iptables'
- update_cache: true
- state: present
- when: ansible_facts.os_family == "RedHat"
-
- - name: Save current iptable config if exist
- copy:
- dest: "{{ iptables_config_file }}.fallback"
- src: "{{ iptables_config_file }}"
- remote_src: yes
- failed_when: false
-
- - name: Apply rules
- iptables:
- ip_version: "{{ item.ip_version | default('ipv4', true) }}"
- action: "{{ item.action | default(omit, true) }}"
- rule_num: "{{ item.rule_num | default(omit, true) }}"
- chain: "{{ item.chain | default('INPUT', true) }}"
- flush: "{{ item.flush | default(omit, true) }}"
- policy: "{{ item.policy | default(omit, true) }}"
- table: "{{ item.table | default('filter', true) }}"
- source: "{{ item.source | default(omit, true) }}"
- destination: "{{ item.destination | default(omit, true) }}"
- src_range: "{{ item.src_range | default(omit, true) }}"
- dst_range: "{{ item.dst_range | default(omit, true) }}"
- source_port: "{{ item.source_port | default(omit, true) }}"
- destination_port: "{{ item.destination_port | default(omit, true) }}"
- protocol: "{{ item.protocol | default(omit, true) }}"
- icmp_type: "{{ item.icmp_type | default(omit, true) }}"
- in_interface: "{{ item.in_interface | default(omit, true) }}"
- out_interface: "{{ item.out_interface | default(omit, true) }}"
- goto: "{{ item.goto | default(omit, true) }}"
- jump: "{{ item.jump | default(omit, true) }}"
- cstate: "{{ item.cstate | default(omit, true) }}"
- fragment: "{{ item.fragment | default(omit, true) }}"
- gateway: "{{ item.gateway | default(omit, true) }}"
- gid_owner: "{{ item.gid_owner | default(omit, true) }}"
- uid_owner: "{{ item.uid_owner | default(omit, true) }}"
- limit: "{{ item.limit | default(omit, true) }}"
- limit_burst: "{{ item.limit_burst | default(omit, true) }}"
- log_level: "{{ item.log_level | default(omit, true) }}"
- log_prefix: "{{ item.log_prefix | default(omit, true) }}"
- match: "{{ item.match | default(omit, true) }}"
- reject_with: "{{ item.reject_with | default(omit, true) }}"
- set_counters: "{{ item.set_counters | default(omit, true) }}"
- set_dscp_mark: "{{ item.set_dscp_mark | default(omit, true) }}"
- set_dscp_mark_class: "{{ item.set_dscp_mark_class | default(omit, true) }}"
- syn: "{{ item.syn | default('ignore', true) }}"
- tcp_flags: "{{ item.tcp_flags | default(omit, true) }}"
- to_source: "{{ item.to_source | default(omit, true) }}"
- to_destination: "{{ item.to_destination | default(omit, true) }}"
- to_ports: "{{ item.to_ports | default(omit, true) }}"
- state: "{{ item.state | default('present', true) }}"
- with_items: "{{ iptables_rules }}"
-
-
- - name: Ensure iptables service is running
- service:
- name: iptables
- state: started
- enabled: yes
-
- - name: Save current iptables rules
- shell: "iptables-save > {{ iptables_config_file }} >> {{ iptables_config_file }}"
-
- - name: Reload saved iptables rules
- service:
- name: iptables
- state: reloaded
- ...
|
