okd/roles/os_firewall/tasks/firewall/iptables.yml

---

- name: Ensure firewalld service is not enabled
  systemd:
    name: firewalld
    state: stopped
    enabled: no
    masked: yes
  register: task_result
  failed_when: "task_result|failed and 'could not' not in task_result.msg|lower"

- name: Install iptables packages
  package: name={{ item }} state=present
  with_items:
    - iptables
    - iptables-services
  when: not openshift.common.is_atomic | bool

- name: Start and enable iptables service
  systemd:
    name: iptables
    state: started
    enabled: yes
    masked: no
    daemon_reload: yes
  register: result

- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
  pause: seconds=10
  when: result | changed

- name: Add iptables allow rules
  os_firewall_manage_iptables:
    name: "{{ item.service }}"
    action: add
    protocol: "{{ item.port.split('/')[1] }}"
    port: "{{ item.port.split('/')[0] }}"
  with_items: "{{ os_firewall_allow }}"

- name: Remove iptables rules
  os_firewall_manage_iptables:
    name: "{{ item.service }}"
    action: remove
    protocol: "{{ item.port.split('/')[1] }}"
    port: "{{ item.port.split('/')[0] }}"
  with_items: "{{ os_firewall_deny }}"