CentOS · bstinsonmhk · Mar 5, 2019 · Mar 5, 2019
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -29,6 +29,24 @@ iptables_sshd_allowed_from:
 # if the node is a firewall/gateway
 iptables_gw: false
 
+# The "internal" interface of the gateway
+iptables_gw_internal_iface: eth1
+
+# The "external" interface of the gateway
+iptables_gw_external_iface: eth0
+
+# Default chain policies. This is only active on the filter table
+iptables_default_input_policy: ACCEPT
+iptables_default_forward_policy: ACCEPT
+iptables_default_output_policy: ACCEPT
+
+# Add a default reject footer (you can do the same by setting the
+# default_*_policy for the chains. This is here to support backwards compat
+# with current systems that add a REJECT stanza for the INPUT and FORWARD
+# chains
+iptables_default_reject_footer: true
+
+
 # if it's a gw, what do we forward/allow (lists)
 iptables_forward_allow:
   - source: "192.168.0.0/24"
@@ -59,4 +77,3 @@ ip6tables_sshd_allowed_from:
 ip6tables_forward_allow:
   - source: "::/0"
     destination: "::/0"
-
diff --git a/files/01-input-0_head b/files/01-input-0_head
diff --git a/tasks/iptables-config.yml b/tasks/iptables-config.yml
@@ -25,12 +25,18 @@
   with_items:
     - 99-filter-commit
     - 98-forward-0_head
-    - 98-forward-z_foot
-    - 01-input-0_head
-    - 01-input-z_foot
     - 00-nat-0_head
     - 00-nat-commit
 
+- name: Dropping templated iptables rules
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/sysconfig/iptables.d/{{ item }}"
+  with_items:
+    - 01-input-0_head
+    - 01-input-z_foot
+    - 98-forward-z_foot
+
 - name: Configuring incoming sshd allowed IP
   template:
     src: 01-input-service-default-sshd.policy.j2

diff --git a/templates/01-input-0_head.j2 b/templates/01-input-0_head.j2
@@ -0,0 +1,10 @@
+
+*filter
+:INPUT {{ iptables_default_input_policy }} [0:0]
+:FORWARD {{ iptables_default_forward_policy }} [0:0]
+:OUTPUT {{ iptables_default_output_policy }} [0:0]
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+#-A OUTPUT -o eth0 -j ACCEPT
+
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
diff --git a/files/01-input-z_foot → templates/01-input-z_foot.j2 b/files/01-input-z_foot → templates/01-input-z_foot.j2
@@ -1,4 +1,4 @@
-
+{% if iptables_default_reject_footer -%}
 # End of computed iptables rules, so denying all the rest
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
-
+{% endif %}
diff --git a/templates/98-forward-11-allow.j2 b/templates/98-forward-11-allow.j2
@@ -1,3 +1,5 @@
+-A FORWARD -i {{ iptables_gw_external_iface }} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i {{ iptables_gw_internal_iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
 {% for rule in iptables_forward_allow %}
 
 {% if rule.protocol is defined -%}

diff --git a/files/98-forward-z_foot → templates/98-forward-z_foot.j2 b/files/98-forward-z_foot → templates/98-forward-z_foot.j2
@@ -1 +1,3 @@
+{% if iptables_default_reject_footer -%}
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited 
+{% endif %}