summaryrefslogtreecommitdiff
path: root/roles/colo-router/templates/iptables
blob: db4895e614d833b6c30c0c2305812b92eac2618b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/sh
# DO NOT EDIT! MANAGED BY ANSIBLE

set -e

ext={{ansible_default_ipv4.interface}}
subnets="
{% for vlan in vlans %}
  {% if vlan.masquerade is not defined or vlan.masquerade %}
{{ vlan.address | ipaddr('host/prefix') | ipaddr('network')}}/{{ vlan.address | ipaddr('host/prefix') | ipaddr('prefix')}}
  {% endif %}
{% endfor %}
"
modprobe iptable_nat

/usr/local/bin/manage_iptables.py sync

for subnet in $subnets ; do
	iptables -t nat -A POSTROUTING -s $subnet -o $ext -j MASQUERADE
	iptables -A FORWARD -s $subnet -o $ext -j ACCEPT
	iptables -A FORWARD -d $subnet -i $ext -m state --state RELATED,ESTABLISHED -j ACCEPT

	# enable squid transparent proxy
	# iptables -t nat -A PREROUTING -s $subnet -p tcp --dport 80 -j REDIRECT --to 3129
done