iptables: mirror the NAT rules in the FORWARD chain to allow the traffic, so that masquerade can work with the FORWARD chain in default REJECT.

This commit is contained in:
Andrea Dell'Amico 2020-05-26 13:48:17 +02:00
parent e448415ec8
commit 5a81560775
1 changed files with 10 additions and 3 deletions

View File

@ -344,14 +344,21 @@
-A OUTPUT -p vrrp -j ACCEPT -A OUTPUT -p vrrp -j ACCEPT
{% endif %} {% endif %}
# #
# INPUT POLICY
{% if iptables_input_default_policy == 'REJECT' %} {% if iptables_input_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -j REJECT --reject-with icmp-host-prohibited
{% else %} {% else %}
-A INPUT -j {{ iptables_input_default_policy }} -A INPUT -j {{ iptables_input_default_policy }}
{% endif %} {% endif %}
{% if iptables_nat_enabled or iptables_post_nat_enabled %} #
-A FORWARD -j ACCEPT # FORWARD rules and POLICY
{% elif iptables_forward_default_policy == 'REJECT' %} {% if iptables_post_nat_enabled %}
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
{% for rule in iptables_nat_rules %}
-A FORWARD {{ rule.options }} -j ACCEPT
{% endfor %}
{% endif %}
{% if iptables_forward_default_policy == 'REJECT' %}
-A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %} {% else %}
-A FORWARD -j {{ iptables_forward_default_policy }} -A FORWARD -j {{ iptables_forward_default_policy }}