403 lines
16 KiB
Django/Jinja
403 lines
16 KiB
Django/Jinja
#
|
|
# {{ ansible_managed }} don't manually modify this file
|
|
#
|
|
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
{% if iptables_banlist is defined %}
|
|
# We manage the banned IP/networks list before anything else
|
|
{% for obj in iptables_banlist %}
|
|
{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
|
|
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
|
{% elif obj.proto is defined and obj.destport is defined %}
|
|
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
|
{% elif obj.proto is defined %}
|
|
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
|
{% else %}
|
|
-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
# Return traffic and localhost
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
-A INPUT -p icmp -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
#
|
|
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
|
|
{% if iptables_ssh_allowed_hosts is defined %}
|
|
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
|
|
{% for ip in iptables_ssh_allowed_hosts %}
|
|
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
|
|
{% endif %}
|
|
{% else %}
|
|
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
|
{% endif %}
|
|
{% if http_port is not defined %}
|
|
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if http_port is defined %}
|
|
# http
|
|
{% if http_allowed_hosts is defined %}
|
|
{% for ip in http_allowed_hosts %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
|
|
{% else %}
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if https_port is defined %}
|
|
# https
|
|
{% if https_allowed_hosts is defined %}
|
|
{% for ip in https_allowed_hosts %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
|
|
{% else %}
|
|
{% if https_managed_hosts is defined %}
|
|
{% for rule in https_managed_hosts %}
|
|
-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
|
|
{% else %}
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if iptables is defined %}
|
|
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
|
|
# TCP rules
|
|
{% for tcp_rule in iptables.tcp %}
|
|
{% if tcp_rule.allowed_hosts is defined %}
|
|
{% for ip in tcp_rule.allowed_hosts %}
|
|
{% if ip is string %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
|
{% else %}
|
|
{% for ip_really in ip %}
|
|
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% else %}
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if iptables.udp_rules is defined and iptables.udp_rules %}
|
|
# UDP rules
|
|
{% for udp_rule in iptables.udp %}
|
|
{% if udp_rule.allowed_hosts is defined %}
|
|
{% for ip in udp_rule.allowed_hosts %}
|
|
{% if ip is string %}
|
|
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
|
{% else %}
|
|
{% for ip_really in ip %}
|
|
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% else %}
|
|
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if iptables.any_rules is defined and iptables.any_rules %}
|
|
# ANY rules
|
|
{% for any_rule in iptables.any %}
|
|
{% for ip in any_rule.allowed_hosts %}
|
|
-A INPUT -s {{ ip }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
|
|
# ANY rules
|
|
{% for rule in iptables.any %}
|
|
{% for ip in rule.allowed_hosts %}
|
|
-A INPUT {{ rule.iptables_rule | default('') }} -s {{ ip }} -j {{ rule.policy | default('ACCEPT') }}
|
|
{% endfor %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
# End of the custom rules
|
|
{% endif %}
|
|
|
|
{% if psql_firewall_enabled %}
|
|
{% if psql_db_port is defined %}
|
|
# PostgreSQL
|
|
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
|
|
{% if psql_global_firewall is defined %}
|
|
{% for cidr in psql_global_firewall %}
|
|
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
|
|
{% else %}
|
|
{% if psql_db_data is defined %}
|
|
# postgresql clients
|
|
{% for db in psql_db_data %}
|
|
{% for ip in db.allowed_hosts %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endif %}
|
|
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
|
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if mysql_firewall_enabled %}
|
|
{% if mysql_db_port is defined %}
|
|
{% if mysql_listen_on_ext_int %}
|
|
# mysql clients
|
|
{% for db in mysql_db_data %}
|
|
{% for ip in db.allowed_hosts %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
|
|
-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if openldap_slapd_tcp_port is defined %}
|
|
{% if openldap_allowed_clients is defined %}
|
|
# LDAP
|
|
{% for addr in openldap_allowed_clients %}
|
|
{% if not openldap_slapd_ssl_only %}
|
|
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
|
|
{% endif %}
|
|
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
|
|
{% else %}
|
|
{% if not openldap_slapd_ssl_only %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
|
|
{% endif %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if mongodb_allowed_hosts is defined %}
|
|
# mongodb clients
|
|
{% for ip in mongodb_allowed_hosts %}
|
|
{% if mongodb_tcp_port is defined %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
|
|
{% else %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% if mongodb_tcp_port is defined %}
|
|
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
|
|
{% else %}
|
|
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if jgroups_cluster_enabled %}
|
|
# tomcat/jboss/wildfly cluster
|
|
-A INPUT -m pkttype --pkt-type multicast -d {{ jgroups_multicast_addr }} -j ACCEPT
|
|
-A INPUT -m pkttype --pkt-type multicast -d {{ jgroups_mping_multicast_addr | default(jgroups_multicast_addr) }} -j ACCEPT
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ jgroups_multicast_port }} -j ACCEPT
|
|
{% if jgroups_multicast_net is defined %}
|
|
-A INPUT -d {{ jgroups_multicast_net }} -j ACCEPT
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if docker_swarm is defined and docker_swarm %}
|
|
{% for cidr in docker_swarm_allowed_hosts %}
|
|
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
|
|
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
|
|
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
|
|
-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
|
|
-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
|
|
-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
|
|
-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
|
|
{% endif %}
|
|
|
|
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
|
|
# Someone still uses ftp
|
|
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
|
|
{% for ip in vsftpd_iptables_allowed_hosts %}
|
|
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
|
|
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m helper --helper ftp -j ACCEPT
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if tftp_server_iptables_rules is defined and tftp_server_iptables_rules %}
|
|
# TFTP service
|
|
{% for ip in tftp_server_iptables_allowed %}
|
|
-A INPUT -m state --state NEW -p udp -s {{ ip }} --dport tftp -j ACCEPT
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -p udp -s {{ ip }} -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m helper --helper tftp -j ACCEPT
|
|
{% endif %}
|
|
#
|
|
# TODO: add the rules that block traffic from now on
|
|
#
|
|
{% if nagios_enabled is defined %}
|
|
{% if nagios_enabled %}
|
|
{% if nagios_monitoring_server_ip is defined %}
|
|
# Nagios NRPE
|
|
{% for ip in nagios_monitoring_server_ip %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
|
|
# Check ntp from the nagios server
|
|
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
|
|
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if zabbix_agent_install is defined and zabbix_agent_install %}
|
|
{% if zabbix_agent_passive_checks_status == "enabled" %}
|
|
# Zabbix servers that can send passive checks
|
|
{% for ip in zabbix_monitoring_servers %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if configure_munin is defined %}
|
|
{% if configure_munin %}
|
|
{% if munin_server %}
|
|
# Munin
|
|
{% for ip in munin_server %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
|
|
# orientdb hazelcast multicast rules
|
|
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
|
|
-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
|
|
{% endif %}
|
|
{% if postfix_relay_server is defined and postfix_relay_server%}
|
|
# Postfix
|
|
#
|
|
# These are only needed on the machines that act as relay servers
|
|
#
|
|
{% for cidr in postfix_relay_server_permitted_networks %}
|
|
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ cidr }} -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
|
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
|
{% else %}
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
|
|
{% endif %}
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
|
|
{% endif %}
|
|
{% if postfix_relay_client is defined and postfix_relay_client%}
|
|
# Postfix
|
|
#
|
|
# When we are not a relay server but we want send email using our relay
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
|
{% if postfix_smtp_relay_servers is defined %}
|
|
{% for host in postfix_smtp_relay_servers %}
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner {{ host.group }} -d {{ host.name }} -j ACCEPT
|
|
{% endfor %}
|
|
{% else %}
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
|
{% endif %}
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
|
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
|
|
{% endif %}
|
|
#
|
|
# Prometheus exporters
|
|
{% if prometheus_enabled is defined and prometheus_enabled %}
|
|
{% if prometheus_servers_ip is defined %}
|
|
{% for ip in prometheus_servers_ip %}
|
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT
|
|
{% endfor %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited
|
|
{% else %}
|
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if keepalived_enabled is defined and keepalived_enabled %}
|
|
# Keepalived rules. Protocol vrrp, 112
|
|
{% if not keepalived_use_unicast %}
|
|
-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
|
|
-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
|
|
{% else %}
|
|
{% endif %}
|
|
-A INPUT -p vrrp -j ACCEPT
|
|
-A OUTPUT -p vrrp -j ACCEPT
|
|
{% endif %}
|
|
#
|
|
# INPUT POLICY
|
|
{% if iptables_log_untracked_traffic %}
|
|
-A INPUT -j LOG --log-prefix "INPUT_UNTRACKED " --log-uid
|
|
{% endif %}
|
|
{% if iptables_input_default_policy == 'REJECT' %}
|
|
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
{% else %}
|
|
-A INPUT -j {{ iptables_input_default_policy }}
|
|
{% endif %}
|
|
#
|
|
# FORWARD rules and POLICY
|
|
{% if iptables_post_nat_enabled %}
|
|
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
{% for rule in iptables_nat_rules %}
|
|
-A FORWARD {{ rule.options }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if iptables_log_untracked_traffic %}
|
|
-A FORWARD -j LOG --log-prefix "FORWARDING_UNTRACKED " --log-uid
|
|
{% endif %}
|
|
{% if iptables_forward_default_policy == 'REJECT' %}
|
|
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
{% else %}
|
|
-A FORWARD -j {{ iptables_forward_default_policy }}
|
|
{% endif %}
|
|
COMMIT
|
|
{% if iptables_nat_enabled %}
|
|
# This should be obsoleted
|
|
# NAT rules
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:INPUT ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
{% if iptables_nat_specify_interfaces %}
|
|
{% for int in iptables_nat_interfaces %}
|
|
-A POSTROUTING -o {{ int }} -j MASQUERADE
|
|
{% endfor %}
|
|
{% else %}
|
|
-A POSTROUTING -j MASQUERADE
|
|
{% endif %}
|
|
COMMIT
|
|
{% endif %}
|
|
|
|
{% if iptables_post_nat_enabled %}
|
|
# NAT rules
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:INPUT ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
{% for rule in iptables_nat_rules %}
|
|
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
|
|
{% endfor %}
|
|
{% if iptables_log_untracked_traffic %}
|
|
-A POSTROUTING -j LOG --log-prefix "POSTROUTING_UNTRACKED " --log-uid
|
|
{% endif %}
|
|
COMMIT
|
|
{% endif %}
|