Add conntrack module ctstate support to iptables
This commit is contained in:
parent
a47427cddf
commit
d332a9a8e4
1 changed files with 19 additions and 0 deletions
|
@ -203,6 +203,12 @@ options:
|
||||||
description:
|
description:
|
||||||
- "This specifies a comment that will be added to the rule"
|
- "This specifies a comment that will be added to the rule"
|
||||||
required: false
|
required: false
|
||||||
|
ctstate:
|
||||||
|
description:
|
||||||
|
- "ctstate is a comma separated list of the connection states to match in
|
||||||
|
the conntrack module. Possible states are: 'INVALID', 'NEW',
|
||||||
|
'ESTABLISHED', 'RELATED', 'UNTRACKED', 'SNAT', 'DNAT'"
|
||||||
|
required: false
|
||||||
'''
|
'''
|
||||||
|
|
||||||
EXAMPLES = '''
|
EXAMPLES = '''
|
||||||
|
@ -213,6 +219,10 @@ EXAMPLES = '''
|
||||||
# Forward port 80 to 8600
|
# Forward port 80 to 8600
|
||||||
- iptables: table=nat chain=PREROUTING in_interface=eth0 protocol=tcp match=tcp destination_port=80 jump=REDIRECT to_ports=8600 comment="Redirect web traffic to port 8600"
|
- iptables: table=nat chain=PREROUTING in_interface=eth0 protocol=tcp match=tcp destination_port=80 jump=REDIRECT to_ports=8600 comment="Redirect web traffic to port 8600"
|
||||||
become: yes
|
become: yes
|
||||||
|
|
||||||
|
# Allow related and established connections
|
||||||
|
- iptables: chain=INPUT ctstate=ESTABLISHED,RELATED jump=ACCEPT
|
||||||
|
become: yes
|
||||||
'''
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
@ -230,6 +240,12 @@ def append_comm(rule, param):
|
||||||
rule.extend(['comment'])
|
rule.extend(['comment'])
|
||||||
|
|
||||||
|
|
||||||
|
def append_conntrack(rule, param):
|
||||||
|
if param:
|
||||||
|
rule.extend(['-m'])
|
||||||
|
rule.extend(['conntrack'])
|
||||||
|
|
||||||
|
|
||||||
def construct_rule(params):
|
def construct_rule(params):
|
||||||
rule = []
|
rule = []
|
||||||
append_param(rule, params['protocol'], '-p', False)
|
append_param(rule, params['protocol'], '-p', False)
|
||||||
|
@ -247,6 +263,8 @@ def construct_rule(params):
|
||||||
append_param(rule, params['to_ports'], '--to-ports', False)
|
append_param(rule, params['to_ports'], '--to-ports', False)
|
||||||
append_comm(rule, params['comment'])
|
append_comm(rule, params['comment'])
|
||||||
append_param(rule, params['comment'], '--comment', False)
|
append_param(rule, params['comment'], '--comment', False)
|
||||||
|
append_conntrack(rule, params['ctstate'])
|
||||||
|
append_param(rule, params['ctstate'], '--ctstate', False)
|
||||||
return rule
|
return rule
|
||||||
|
|
||||||
|
|
||||||
|
@ -296,6 +314,7 @@ def main():
|
||||||
destination_port=dict(required=False, default=None, type='str'),
|
destination_port=dict(required=False, default=None, type='str'),
|
||||||
to_ports=dict(required=False, default=None, type='str'),
|
to_ports=dict(required=False, default=None, type='str'),
|
||||||
comment=dict(required=False, default=None, type='str'),
|
comment=dict(required=False, default=None, type='str'),
|
||||||
|
ctstate=dict(required=False, default=None, type='str'),
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
args = dict(
|
args = dict(
|
||||||
|
|
Loading…
Reference in a new issue