vpn: refs #8748 - add conntrack iptables default block

2025-04-02 11:34:17 +02:00 · 2025-04-02 11:34:17 +02:00 · 0e073c7ba1
parent 7ee760f506
commit 0e073c7ba1
1 changed files with 7 additions and 0 deletions
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@ -24,6 +24,13 @@ mangle_block: |
  -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
  -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
  COMMIT
+  *filter
+  :INPUT ACCEPT [0:0]
+  :FORWARD ACCEPT [0:0]
+  :OUTPUT ACCEPT [0:0]
+  -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+  -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "CT INVALID: "
+  COMMIT
 config_and_logrotate:
  - { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' }
  - { src: charon, dest: '/etc/logrotate.d/charon' }