commit 1a66ddec2c919ae6261f99e99a8cf81370d00e0d
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Dec 3 17:37:40 2016 +0100
Introduce custom_nat_rules
inventory/host_vars/hv01.online.rpmfusion.net | 4 ++--
roles/base/templates/iptables/iptables | 17 +++++++++++++++++
2 files changed, 19 insertions(+), 2 deletions(-)
---
diff --git
a/inventory/host_vars/hv01.online.rpmfusion.net
b/inventory/host_vars/hv01.online.rpmfusion.net
index f922d39..e6f0b4a 100644
---
a/inventory/host_vars/hv01.online.rpmfusion.net
+++
b/inventory/host_vars/hv01.online.rpmfusion.net
@@ -14,5 +14,5 @@ udp_ports: ['53', '1194']
custom_rules: [ '-A FORWARD -d 192.168.181.0/24 -o br1 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT' , '-A FORWARD -s 192.168.181.0/24 -i br1 -j
ACCEPT', '-A INPUT -i br1 -p tcp -m tcp --dport 111 -j ACCEPT', '-A INPUT
-i tun0 -p tcp -m tcp --dport 111 -j ACCEPT' ,'-A INPUT -i br1 -p tcp -m tcp
--dport 662 -j ACCEPT' , '-A INPUT -i tun0 -p tcp -m tcp --dport 662 -j
ACCEPT', '-A INPUT -i br1 -p tcp -m tcp --dport 892 -j ACCEPT' , '-A INPUT
-i tun0 -p tcp -m tcp --dport 892 -j ACCEPT', '-A INPUT -i br1 -p tcp -m tcp
--dport 2049 -j ACCEPT', '-A INPUT -i tun0 -p tcp -m tcp --dport 2049 -j
ACCEPT', '-A INPUT -i br1 -p udp -m udp --dport 2049 -j ACCEPT', '-A INPUT
-i tun0 -p udp -m udp --dport 2049 -j ACCEPT', '-A INPUT -i br1 -p tcp -m tcp
--dport 32803 -j ACCEPT', '-A INPUT -i tun0 -p tcp -m tcp --dport 32803 -j
ACCEPT', '-A INPUT -i br1 -p udp -m udp --dport 32769 -j ACCEPT', '-A
INPUT -i tun0 -p udp -m udp --dport 32769 -j ACCEPT' , '-A INPUT -i br1 -p tcp -m
tcp --dp
ort 3128 -j ACCEPT', '-A INPUT -i tun0 -p tcp -m tcp --dport 3128 -j
ACCEPT']
-# hack
-#Need missing "iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE"
+custom_nat_rules: ['-A POSTROUTING -o br0 -j MASQUERADE' ]
+
diff --git a/roles/base/templates/iptables/iptables
b/roles/base/templates/iptables/iptables
index a059489..e567479 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -49,3 +49,20 @@
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
+
+# nat table
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+# custom_nat_rules
+{% if custom_nat_rules is defined %}
+{% for rule in custom_nat_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+COMMIT
+