tpiccioli
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request 'iptables: mirror the NAT rules in the FORWARD chain to allow the traffic, so that masquerade can work with the FORWARD chain in default REJECT.' (#208) from adellam/ansible-roles:master into master

This commit is contained in:
Andrea Dell'Amico 2020-05-26 13:50:50 +02:00
parent 1b887b7606 5a81560775
commit ebada3cdbc
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
library/roles/iptables/templates/iptables-rules.v4.j2
View File

@ -344,14 +344,21 @@
-A OUTPUT -p vrrp -j ACCEPT
{% endif %}
#
# INPUT POLICY
{% if iptables_input_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -j {{ iptables_input_default_policy }}
{% endif %}
{% if iptables_nat_enabled or iptables_post_nat_enabled %}
-A FORWARD -j ACCEPT
{% elif iptables_forward_default_policy == 'REJECT' %}
#
# FORWARD rules and POLICY
{% if iptables_post_nat_enabled %}
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
{% for rule in iptables_nat_rules %}
-A FORWARD {{ rule.options }} -j ACCEPT
{% endfor %}
{% endif %}
{% if iptables_forward_default_policy == 'REJECT' %}
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A FORWARD -j {{ iptables_forward_default_policy }}