From 0e073c7ba12b7e650cd1ff14f7f66341bf892f9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Wed, 2 Apr 2025 11:34:17 +0200
Subject: [PATCH] vpn: refs #8748 - add conntrack iptables default block

---
 roles/ipsec/defaults/main.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml
index c8b1cd0..a7d3b9d 100644
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@@ -24,6 +24,13 @@ mangle_block: |
   -A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
   -A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
   COMMIT
+  *filter
+  :INPUT ACCEPT [0:0]
+  :FORWARD ACCEPT [0:0]
+  :OUTPUT ACCEPT [0:0]
+  -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+  -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "CT INVALID: "
+  COMMIT
 config_and_logrotate:
   - { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' }
   - { src: charon, dest: '/etc/logrotate.d/charon' }