From 68b9ae8c82c3326acb7ba96a500929f67566a00e Mon Sep 17 00:00:00 2001
From: heqnx <root@heqnx.com>
Date: Sun, 22 Jun 2025 21:48:19 +0300
Subject: moved nat masq to ufw before.rules and removed before.v4.j2 template

---
 tasks/pve_configure.yaml | 19 +++++++++++--------
 templates/rules.v4.j2    | 13 -------------
 2 files changed, 11 insertions(+), 21 deletions(-)
 delete mode 100644 templates/rules.v4.j2

diff --git a/tasks/pve_configure.yaml b/tasks/pve_configure.yaml
index c67be1a..514faa4 100644
--- a/tasks/pve_configure.yaml
+++ b/tasks/pve_configure.yaml
@@ -25,20 +25,23 @@
     dest: /etc/default/pveproxy
     mode: '0644'
 
-- name: deploy /etc/iptables/rules.v4
-  template:
-    src: rules.v4.j2
-    dest: /etc/iptables/rules.v4
-    owner: root
-    group: root
-    mode: '0644'
+- name: add nat masquerade rules to ufw before.rules
+  blockinfile:
+    path: /etc/ufw/before.rules
+    insertbefore: BOF
+    block: |
+      :POSTROUTING ACCEPT [0:0]
+      -A POSTROUTING -s {{ nat_subnet }} -o {{ public_interface }} -j MASQUERADE
+      COMMIT
+    marker: "# {mark} ANSIBLE MANAGED NAT MASQUERADE RULE"
 
-- name: enable ipv4 forwarding
+- name: enable ipv4 forwarding persistently
   sysctl:
     name: net.ipv4.ip_forward
     value: '1'
     state: present
     reload: yes
+    sysctl_file: /etc/sysctl.conf
 
 - name: restart pveproxy
   systemd:
diff --git a/templates/rules.v4.j2 b/templates/rules.v4.j2
deleted file mode 100644
index 6a0e54f..0000000
--- a/templates/rules.v4.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-COMMIT
-
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
--A POSTROUTING -s {{ nat_subnet }} -o {{ public_interface }} -j MASQUERADE
-COMMIT
-- 
cgit v1.2.3