| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 |
- # This file is managed by ansible, don't make changes here - they will be overwritten.
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- COMMIT
- *nat
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- {% if ffrl_tun is defined and ffrl_nat_ip is defined %}
- -A POSTROUTING -o tun-ffrl+ -j SNAT --to-source {{ffrl_nat_ip | ipaddr('address')}}
- {% endif %}
- {% if ffnw_tun is defined %}
- -A POSTROUTING -o tun-ffnw+ -j SNAT --to-source {{ffnw_nat_ip| ipaddr('address')}}
- {% endif %}
- {% if ffnw_tun is not defined and ffrl_tun is not defined %}
- -A POSTROUTING -o gre+ -p tcp -m tcp --dport 53 -j SNAT --to-source 10.0.0.{{vm_id}}
- -A POSTROUTING -o gre+ -p udp -m udp --dport 53 -j SNAT --to-source 10.0.0.{{vm_id}}
- {% endif %}
- COMMIT
- *mangle
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -N DNS
- -A OUTPUT -p udp -m udp --dport 53 -j DNS
- -A OUTPUT -p tcp -m tcp --dport 53 -j DNS
- {% if 'dienste' in groups %}
- {% for host in groups['dienste'] %}
- {% if hostvars[host].inventory_hostname_short == "dnsmaster" %}
- -A DNS -d {{hostvars[host].ansible_ssh_host}}/32 -j RETURN
- {% endif %}
- {% endfor %}
- {% endif %}
- {% if v4dnsips is defined %}
- {% for entry in v4dnsips %}
- -A DNS -d {{entry}}/32 -j RETURN
- {% endfor %}
- {% endif %}
- -A DNS -j MARK --set-mark 0x1
- -A DNS -j RETURN
- :POSTROUTING ACCEPT [0:0]
- {% if ffrl_tun is defined or ffnw_tun is defined %}
- -A POSTROUTING -o tun-+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:1240 -j TCPMSS --set-mss 1240
- {% endif %}
- COMMIT
|
