arillso.system.iptables role – Manage iptables rules

Note

This role is part of the arillso.system collection (version 0.0.34).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install arillso.system.

To use it in a playbook, specify: arillso.system.iptables.

Entry point main – Manage iptables rules

Synopsis

  • Manage iptables rules including creation, modification, and deletion.

Parameters

Parameter

Comments

iptables_rules

list / elements=dictionary

List of iptables rules to be managed.

Each item in the list is a dict that specifies parameters of a rule.

Default: []

action

string

Action to perform on the rule (append, insert, delete).

Default: "append"

chain

string

Specifies the chain where the rule will be added (e.g., INPUT, FORWARD, OUTPUT).

comment

string

Comment associated with the rule.

destination

string

Destination address or network to match.

destination_port

string

Single destination port to match.

goto

string

Target chain to jump to for ‘GOTO’ action.

in_interface

string

Incoming interface to match (e.g., eth0).

jump

string

Target chain to jump to for ‘JUMP’ action.

out_interface

string

Outgoing interface to match (e.g., eth1).

protocol

string

Network protocol to match (e.g., tcp, udp, icmp).

source

string

Source address or network to match.

source_port

string

Single source port to match.

state

string

State of the rule (e.g., present, absent).

Default: "present"

table

string

Table to apply the rule (e.g., filter, nat).

Default: "filter"

Entry point modify_iptables – Manage iptables rules

Synopsis

  • Manage iptables rules including creation, modification, and deletion.

Parameters

Parameter

Comments

iptables_rule_action

string

Action to perform on the rule (append, insert, delete).

Default: "append"

iptables_rule_chain

string

Name of the iptables chain to modify (e.g., INPUT, FORWARD, OUTPUT).

Default: "INPUT"

iptables_rule_comment

string

Comment associated with the rule.

iptables_rule_ctstate

string

Connection tracking states to match (e.g., NEW, ESTABLISHED).

iptables_rule_destination

string

Destination address or network to match.

iptables_rule_destination_port

string

Single destination port to match.

iptables_rule_destination_ports

string

Range or multiple destination ports to match.

iptables_rule_dst_range

string

Destination address range to match.

iptables_rule_flags

string

Custom flags to match.

iptables_rule_flags_set

string

Set of flags to match.

iptables_rule_flush

boolean

Flush rules in the specified chain.

Choices:

  • false

  • true

iptables_rule_fragment

boolean

Match fragmented packets.

Choices:

  • false

  • true

iptables_rule_gateway

string

Gateway to use for redirected packets.

iptables_rule_gid_owner

integer

Group ID to match for ownership.

iptables_rule_goto

string

Target chain to jump to for ‘GOTO’ action.

iptables_rule_icmp_type

string

ICMP type to match.

iptables_rule_in_interface

string

Incoming interface to match (e.g., eth0).

iptables_rule_ip_version

string

IP version to use (ipv4, ipv6).

iptables_rule_jump

string

Target chain to jump to for ‘JUMP’ action.

iptables_rule_limit

string

Rate limit matching for a rule.

iptables_rule_limit_burst

string

Maximum burst rate allowed before the limit rule applies.

iptables_rule_log_level

string

Log level for logging rule matches.

iptables_rule_log_prefix

string

Prefix for log messages.

iptables_rule_match

string

Match criteria for the rule.

iptables_rule_match_set

string

Match set for ‘ipset’ match.

iptables_rule_match_set_flags

string

Flags for the ‘ipset’ match.

iptables_rule_out_interface

string

Outgoing interface to match (e.g., eth1).

iptables_rule_policy

string

Policy to set on the chain (e.g., ACCEPT, DROP).

iptables_rule_protocol

string

Network protocol to match (e.g., tcp, udp, icmp).

iptables_rule_reject_with

string

Option for rejecting packets.

iptables_rule_rule_num

integer

Rule number to insert/delete a specific rule.

iptables_rule_set_counters

list / elements=string

Set packet and byte counters for a rule.

iptables_rule_set_dscp_mark

string

Set DSCP mark in the IP header.

iptables_rule_set_dscp_mark_class

string

Set DSCP class in the IP header.

iptables_rule_source

string

Source address or network to match.

iptables_rule_source_port

string

Single source port to match.

iptables_rule_src_range

string

Source address range to match.

iptables_rule_state

string

State of the rule (present, absent).

Default: "present"

iptables_rule_syn

boolean

Match SYN packets.

Choices:

  • false

  • true

iptables_rule_table

string

Table to apply the rule (e.g., filter, nat).

Default: "filter"

iptables_rule_tcp_flags

string

TCP flags to match.

iptables_rule_to_destination

string

Target IP address for DNAT/SNAT.

iptables_rule_to_ports

string

Target port(s) for DNAT/SNAT.

iptables_rule_to_source

string

Source IP address for SNAT.

iptables_rule_uid_owner

integer

User ID to match for ownership.

iptables_rule_wait

integer

Wait time for xtables lock.