From 030ea6df33764fc322216ca9f80e4aaf9189e2b9 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Fri, 29 Mar 2019 00:15:05 +0100
Subject: [PATCH] Allow adding proxy-only TCP ports to groups

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 roles/base/templates/iptables/iptables | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 9e1876ef80..b43e8f5597 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -99,6 +99,19 @@
 {% endfor %}
 {% endif %}
 
+# if there are any proxy-only tcp_ports - allow them
+{% if proxy_tcp_ports is defined %}
+{% for port in proxy_tcp_ports %}
+{% for proxy in (groups['proxies'] + groups['proxies-internal']) %}
+{% if hostvars[proxy]['vpn'] %}
+-A INPUT -p tcp -m tcp --dport {{ port }} --src {{ hostvars[proxy]['ansible_facts']['ansible_tun0']['ipv4']['address'] }} -j ACCEPT
+{% else %}
+-A INPUT -p tcp -m tcp --dport {{ port }} --src {{ hostvars[proxy]['ansible_facts']['ansible_eth0']['ipv4']['address'] }} -j ACCEPT
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}
+
 # if there are custom rules - put them in as-is
 {% if custom_rules is defined %}
 {% for rule in custom_rules %}