Bootstrap FreeKB - Ansible - iptables module
Ansible - iptables module
Updated:   |  Ansible articles

If you are not familiar with modules, check out Ansible - Getting Started with Modules.

The iptables module is used to modify iptables.

Important - This module will not save changes made to iptables. The changes will not persist when iptables is reloaded, or when the system that contains iptables is restarted. The shell or command modules can be used to save the change made to iptables.

Chains

iptables uses chains to allow or deny certain types of requests. The default chains are:

  • INPUT = Inbound request addressed to the host
  • OUTPUT = Output request created by the host
  • FORWARD = Neither addressed to the host nor created by the host. Forward is used to forward or route a packet to it's destination

 

Flushing Rules

Typically, after a clean install of iptables, iptables will already have default rules in place. The flush option is used to flush all rules. Refer to iptables - flush rules for a better understanding of flushing rules.

- name: "flush all iptables rules"
  iptables:
    flush: yes

 

Adding Rules

  • If action is insert, the rule will be added at the beginning of the chain.
  • If action is append, the rule will be added at the end of the chain.

If action not used, the default action will be append. This is important, because the order in which the rules are listed matters. iptables will read the rules from the top down, meaning the first rule listed will be read, then the second rule, and so on, until the last rule is read.

Allow lo interface

Typically, the first rule that is added is to allow traffic directed to the lo interface, which is the loopback interface, localhost, or 127.0.0.1.

- name: "allow connections on the lo interface on the input chain"
  iptables:
    chain: INPUT
    in_interface: lo
    jump: ACCEPT

 

Allow SSH

Often, the second rule that is added is to allow SSH connections. Assuming that you are using the default port 22 for SSH, the following command will allow SSH on the INPUT chain.

  • Notice the match parameter contains a value of conntrack. conntrack stands for "connection tracking", which is the state of the SSH connection.
  • Notice the ctstate parameter contains the NEW and ESTABLISHED values. ctstate stands for "connection state". ctstate is only used when the match: connstate parameter is used. NEW, ESTABLISHED, RELATED and INVALID are the possible states.
  • Notice the source parameter contains 192.168.0.0/24, to only allow connections within the 192.168.0 subnet. This parameter is optional. If not used, connections will be allow from an source IP address.

The following will only allow NEW and ESTABLISHED SSH connections on the INPUT chain.

- name: "allow SSH on the input chain"
  iptables:
    chain: INPUT
    protocol: tcp
    destination_port: 22
    match: conntrack
    ctstate: NEW,ESTABLISHED
    source: 192.168.0.0/24
    jump: ACCEPT

 

And on the output chain.

- name: "allow SSH on the output chain"
  iptables:
    chain: OUTPUT
    protocol: tcp
    source_port: 22
    match: conntrack
    ctstate: ESTABLISHED
    jump: ACCEPT

 

Allow ICMP ping

Before adding a rule to iptables to allow ICMP, it's important to recognize that there are different types of ICMP packets. Refer to iptables - allow ICMP to understand the different type of ICMP packets that can be specified. The following will allow any and all types of ICMP packets.

- name: "allow any and all types of ICMP packets on the input chain"
  iptables:
    chain: INPUT
    protocol: icmp
    jump: ACCEPT

 

Often, only ICMP echo requests are allow. The following command will allow only ICMP echo requests on the INPUT chain, so that the system running iptables can be pinged.

  • Notice the icmp_type parameter contains a value of echo-request. Instead of using a value of echo-request, you could use a value of 8. This parameter accept either the numeric or literal name of the ICMP type.
- name: "allow ICMP echo requests on the input chain"
  iptables:
    chain: INPUT
    protocol: icmp
    icmp_type: echo-request
    jump: ACCEPT

 

Drop

The last rule on the input chain should be drop, so that any connection not matching a rule in the chain is dropped. In other words, this is an explicit deny. Refer to iptables - drop rule for a better understanding of drop.

- name: "drop any connection that does not match a rule on the INPUT chain"
  iptables:
    chain: INPUT
    jump: DROP

 

Inserting a rule on a specific line

Once you have the drop rule as the last rule, you would no longer use action: append, as this would append a rule after the drop rule. Recall that action: insert will insert a rule at the beginning of the chain. If you want to add a rule on a certain line, the rule_num parameter can be used. In this example, a rule to allow HTTP traffic on port 80 is inserted on line 4.

- name: "Allow HTTP on port 80"
  iptables:
    action: insert
    chain: INPUT
    protocol: tcp
    destination_port: 80
    rule_num: "4"
    jump: ACCEPT

 

Saving changes

The iptables module will not save changes made to iptables. The changes will not persist when iptables is reloaded, or when the system that contains iptables is restarted. The iptables_state module can be used to save the change made to iptables.

- name: save iptables
  community.general.iptables_state:
    state: saved
    path: /etc/sysconfig/iptables

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter c0248b in the box below so that we can be sure you are a human.