diff options
| author | heqnx <root@heqnx.com> | 2025-06-22 21:48:19 +0300 |
|---|---|---|
| committer | heqnx <root@heqnx.com> | 2025-06-22 21:48:19 +0300 |
| commit | 68b9ae8c82c3326acb7ba96a500929f67566a00e (patch) | |
| tree | 1acc607554704c581c8b1f068cdfbcbaa60d969c | |
| parent | 49a4ba3b9351c17dace1a9a806b40bf9ca34f900 (diff) | |
| download | ansible-pve-host-68b9ae8c82c3326acb7ba96a500929f67566a00e.tar.gz ansible-pve-host-68b9ae8c82c3326acb7ba96a500929f67566a00e.zip | |
moved nat masq to ufw before.rules and removed before.v4.j2 template
| -rw-r--r-- | tasks/pve_configure.yaml | 19 | ||||
| -rw-r--r-- | templates/rules.v4.j2 | 13 |
2 files changed, 11 insertions, 21 deletions
diff --git a/tasks/pve_configure.yaml b/tasks/pve_configure.yaml index c67be1a..514faa4 100644 --- a/tasks/pve_configure.yaml +++ b/tasks/pve_configure.yaml @@ -25,20 +25,23 @@ dest: /etc/default/pveproxy mode: '0644' -- name: deploy /etc/iptables/rules.v4 - template: - src: rules.v4.j2 - dest: /etc/iptables/rules.v4 - owner: root - group: root - mode: '0644' +- name: add nat masquerade rules to ufw before.rules + blockinfile: + path: /etc/ufw/before.rules + insertbefore: BOF + block: | + :POSTROUTING ACCEPT [0:0] + -A POSTROUTING -s {{ nat_subnet }} -o {{ public_interface }} -j MASQUERADE + COMMIT + marker: "# {mark} ANSIBLE MANAGED NAT MASQUERADE RULE" -- name: enable ipv4 forwarding +- name: enable ipv4 forwarding persistently sysctl: name: net.ipv4.ip_forward value: '1' state: present reload: yes + sysctl_file: /etc/sysctl.conf - name: restart pveproxy systemd: diff --git a/templates/rules.v4.j2 b/templates/rules.v4.j2 deleted file mode 100644 index 6a0e54f..0000000 --- a/templates/rules.v4.j2 +++ /dev/null @@ -1,13 +0,0 @@ -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT - -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] --A POSTROUTING -s {{ nat_subnet }} -o {{ public_interface }} -j MASQUERADE -COMMIT |