diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml
index c8b1cd0..a7d3b9d 100644
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@@ -24,6 +24,13 @@ mangle_block: |
   -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
   -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
   COMMIT
+  *filter
+  :INPUT ACCEPT [0:0]
+  :FORWARD ACCEPT [0:0]
+  :OUTPUT ACCEPT [0:0]
+  -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+  -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "CT INVALID: "
+  COMMIT
 config_and_logrotate:
   - { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' }
   - { src: charon, dest: '/etc/logrotate.d/charon' }