If you are not familiar with modules, check out Ansible - Getting Started with Modules.
The iptables module is used to modify iptables.
Important - This module will not save changes made to iptables. The changes will not persist when iptables is reloaded, or when the system that contains iptables is restarted. The shell or command modules can be used to save the change made to iptables.
iptables uses chains to allow or deny certain types of requests. The default chains are:
Typically, after a clean install of iptables, iptables will already have default rules in place. The flush option is used to flush all rules. Refer to iptables - flush rules for a better understanding of flushing rules.
- name: "flush all iptables rules" iptables: flush: yes
If action not used, the default action will be append. This is important, because the order in which the rules are listed matters. iptables will read the rules from the top down, meaning the first rule listed will be read, then the second rule, and so on, until the last rule is read.
Allow lo interface
Typically, the first rule that is added is to allow traffic directed to the lo interface, which is the loopback interface, localhost, or 127.0.0.1.
- name: "allow connections on the lo interface on the input chain" iptables: chain: INPUT in_interface: lo jump: ACCEPT
Often, the second rule that is added is to allow SSH connections. Assuming that you are using the default port 22 for SSH, the following command will allow SSH on the INPUT chain.
The following will only allow NEW and ESTABLISHED SSH connections on the INPUT chain.
- name: "allow SSH on the input chain" iptables: chain: INPUT protocol: tcp destination_port: 22 match: conntrack ctstate: NEW,ESTABLISHED source: 192.168.0.0/24 jump: ACCEPT
And on the output chain.
- name: "allow SSH on the output chain" iptables: chain: OUTPUT protocol: tcp source_port: 22 match: conntrack ctstate: ESTABLISHED jump: ACCEPT
Allow ICMP ping
Before adding a rule to iptables to allow ICMP, it's important to recognize that there are different types of ICMP packets. Refer to iptables - allow ICMP to understand the different type of ICMP packets that can be specified. The following will allow any and all types of ICMP packets.
- name: "allow any and all types of ICMP packets on the input chain" iptables: chain: INPUT protocol: icmp jump: ACCEPT
Often, only ICMP echo requests are allow. The following command will allow only ICMP echo requests on the INPUT chain, so that the system running iptables can be pinged.
- name: "allow ICMP echo requests on the input chain" iptables: chain: INPUT protocol: icmp icmp_type: echo-request jump: ACCEPT
The last rule on the input chain should be drop, so that any connection not matching a rule in the chain is dropped. In other words, this is an explicit deny. Refer to iptables - drop rule for a better understanding of drop.
- name: "drop any connection that does not match a rule on the INPUT chain" iptables: chain: INPUT jump: DROP
Inserting a rule on a specific line
Once you have the drop rule as the last rule, you would no longer use action: append, as this would append a rule after the drop rule. Recall that action: insert will insert a rule at the beginning of the chain. If you want to add a rule on a certain line, the rule_num parameter can be used. In this example, a rule to allow HTTP traffic on port 80 is inserted on line 4.
- name: "Allow HTTP on port 80" iptables: action: insert chain: INPUT protocol: tcp destination_port: 80 rule_num: "4" jump: ACCEPT
The iptables module will not save changes made to iptables. The changes will not persist when iptables is reloaded, or when the system that contains iptables is restarted. The iptables_state module can be used to save the change made to iptables.
- name: save iptables community.general.iptables_state: state: saved path: /etc/sysconfig/iptables