forked from ISTI-ansible-roles/ansible-roles
iptables: mirror the NAT rules in the FORWARD chain to allow the traffic, so that masquerade can work with the FORWARD chain in default REJECT.
This commit is contained in:
parent
e448415ec8
commit
5a81560775
|
@ -344,14 +344,21 @@
|
|||
-A OUTPUT -p vrrp -j ACCEPT
|
||||
{% endif %}
|
||||
#
|
||||
# INPUT POLICY
|
||||
{% if iptables_input_default_policy == 'REJECT' %}
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -j {{ iptables_input_default_policy }}
|
||||
{% endif %}
|
||||
{% if iptables_nat_enabled or iptables_post_nat_enabled %}
|
||||
-A FORWARD -j ACCEPT
|
||||
{% elif iptables_forward_default_policy == 'REJECT' %}
|
||||
#
|
||||
# FORWARD rules and POLICY
|
||||
{% if iptables_post_nat_enabled %}
|
||||
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
{% for rule in iptables_nat_rules %}
|
||||
-A FORWARD {{ rule.options }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if iptables_forward_default_policy == 'REJECT' %}
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A FORWARD -j {{ iptables_forward_default_policy }}
|
||||
|
|
Loading…
Reference in New Issue