From 5a815607752608a856a38fe854370fbadc5bd1f7 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Tue, 26 May 2020 13:48:17 +0200
Subject: [PATCH] iptables: mirror the NAT rules in the FORWARD chain to allow
 the traffic, so that masquerade can work with the FORWARD chain in default
 REJECT.

---
 .../roles/iptables/templates/iptables-rules.v4.j2   | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2
index 22c90c7..b6360ec 100644
--- a/library/roles/iptables/templates/iptables-rules.v4.j2
+++ b/library/roles/iptables/templates/iptables-rules.v4.j2
@@ -344,14 +344,21 @@
 -A OUTPUT -p vrrp -j ACCEPT
 {% endif %}
 #
+# INPUT POLICY
 {% if iptables_input_default_policy == 'REJECT' %}
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 {% else %}
 -A INPUT -j {{ iptables_input_default_policy }}
 {% endif %}
-{% if iptables_nat_enabled or iptables_post_nat_enabled %}
--A FORWARD -j ACCEPT
-{% elif iptables_forward_default_policy == 'REJECT' %}
+#
+# FORWARD rules and POLICY
+{% if iptables_post_nat_enabled %}
+-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+{% for rule in iptables_nat_rules %}
+-A FORWARD {{ rule.options }} -j ACCEPT
+{% endfor %}
+{% endif %}
+{% if iptables_forward_default_policy == 'REJECT' %}
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 {% else %}
 -A FORWARD -j {{ iptables_forward_default_policy }}