# This file is managed by ansible, don't make changes here - they will be overwritten.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if ffrl_tun is defined and ffrl_nat_ip is defined %}
-A POSTROUTING -o tun-ffrl+ -j SNAT --to-source {{ffrl_nat_ip | ipaddr('address')}}
{% endif %}
{% if ffnw_tun is defined %}
-A POSTROUTING -o tun-ffnw+ -j SNAT --to-source {{ffnw_nat_ip| ipaddr('address')}}
{% endif %}
{% if ffnw_tun is not defined and ffrl_tun is not defined %}
-A POSTROUTING -o gre+ -p tcp -m tcp --dport 53 -j SNAT --to-source 10.0.0.{{vm_id}}
-A POSTROUTING -o gre+ -p udp -m udp --dport 53 -j SNAT --to-source 10.0.0.{{vm_id}}
{% endif %}
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N DNS
-A OUTPUT -p udp -m udp --dport 53 -j DNS
-A OUTPUT -p tcp -m tcp --dport 53 -j DNS
{% if 'dienste' in groups %}
{% for host in groups['dienste'] %}
{% if hostvars[host].inventory_hostname_short == "dnsmaster" %}
-A DNS -d {{hostvars[host].ansible_ssh_host}}/32 -j RETURN
{% endif %}
{% endfor %}
{% endif %}
{% if v4dnsips is defined %}
{% for entry in v4dnsips %}
-A DNS -d {{entry}}/32 -j RETURN
{% endfor %}
{% endif %}
-A DNS -j MARK --set-mark 0x1
-A DNS -j RETURN
:POSTROUTING ACCEPT [0:0]
{% if ffrl_tun is defined or ffnw_tun is defined %}
-A POSTROUTING -o tun-+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:1240 -j TCPMSS --set-mss 1240
{% endif %}
COMMIT