iptables
Collection: builtin
Full Name: parallax.builtin.iptables
Aliases: ansible.builtin.iptables, iptables
Synopsis
Manage iptables
Parameters
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| table | string | filter | This option specifies the packet matching table Choices: filter, nat, mangle, raw, security | |
| state | string | present | Whether the rule should be absent or present Choices: absent, present | |
| action | string | append | Whether the rule should be appended at the bottom or inserted at the top Choices: append, insert | |
| rule_num | string | Insert the rule as the given rule number | ||
| ip_version | string | ipv4 | Which version of the IP protocol this rule should apply to Choices: ipv4, ipv6 | |
| chain | string | yes | Specify the iptables chain | |
| protocol | string | The protocol of the rule or of the packet to check | ||
| source | string | Source specification | ||
| destination | string | Destination specification | ||
| tcp_flags | map | TCP flags specification | ||
| jump | string | This specifies the target of the rule | ||
| goto | string | This specifies that the processing should continue in a user specified chain | ||
| in_interface | string | Name of an interface via which a packet was received | ||
| out_interface | string | Name of an interface via which a packet is going to be sent | ||
| fragment | string | This means that the rule only refers to second and further fragments of fragmented packets | ||
| set_counters | string | This enables the administrator to initialize the packet and byte counters of a rule | ||
| source_port | string | Source port or port range specification | ||
| destination_port | string | Destination port or port range specification | ||
| to_ports | string | This specifies a destination port or range of ports to use | ||
| to_destination | string | This specifies a destination address to use with DNAT | ||
| to_source | string | This specifies a source address to use with SNAT | ||
| syn | string | This allows matching packets that have the SYN bit set and the ACK and RST bits unset Choices: ignore, match, negate | ||
| set_dscp_mark | string | This allows specifying a DSCP mark to be added to packets | ||
| set_dscp_mark_class | string | This allows specifying a DSCP mark to be added to packets | ||
| comment | string | This specifies a comment that will be attached to the rule | ||
| ctstate | list | ctstate is a list of the connection states to match in the conntrack module | ||
| src_range | string | Specifies a range of source addresses | ||
| dst_range | string | Specifies a range of destination addresses | ||
| match | list | Specifies a match to use | ||
| limit | string | Specifies the maximum average number of matches to allow per second | ||
| limit_burst | string | Specifies the maximum burst before the above limit kicks in | ||
| uid_owner | string | Specifies the UID or username to use in match by owner rule | ||
| gid_owner | string | Specifies the GID or group to use in match by owner rule | ||
| reject_with | string | Specifies the error packet type to return while rejecting | ||
| icmp_type | string | This allows specification of the ICMP type | ||
| flush | bool | false | Flushes the specified table and chain of all rules | |
| policy | string | Set the policy for the chain to the given target Choices: ACCEPT, DROP, QUEUE, RETURN | ||
| wait | string | Wait for the xtables lock | ||
| chain_management | bool | false | If true, the chain will be created if needed | |
| numeric | bool | false | This option makes iptables print numerical addresses and port numbers |
Example
- name: Example iptables task
iptables:
chain: <your_chain>