From 2a932db784a2edb4fca7f7f5dce7b8b25d9459a2 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Fri, 29 Mar 2019 00:18:04 +0100
Subject: [PATCH] Add proxy-only ports to staging iptables

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 roles/base/templates/iptables/iptables.staging | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/roles/base/templates/iptables/iptables.staging b/roles/base/templates/iptables/iptables.staging
index b34fac291d..2f9acad733 100644
--- a/roles/base/templates/iptables/iptables.staging
+++ b/roles/base/templates/iptables/iptables.staging
@@ -65,6 +65,19 @@ COMMIT
 -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
 {% endfor %}
 
+# if there are any proxy-only tcp_ports - allow them
+{% if proxy_tcp_ports is defined %}
+{% for port in proxy_tcp_ports %}
+{% for proxy in (groups['proxies'] + groups['proxies-internal']) %}
+{% if hostvars[proxy]['vpn'] %}
+-A INPUT -p tcp -m tcp --dport {{ port }} --src {{ hostvars[proxy]['ansible_facts']['ansible_tun0']['ipv4']['address'] }} -j ACCEPT
+{% else %}
+-A INPUT -p tcp -m tcp --dport {{ port }} --src {{ hostvars[proxy]['ansible_facts']['ansible_eth0']['ipv4']['address'] }} -j ACCEPT
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}
+
 # if there are custom rules - put them in as-is
 {% for rule in custom_rules %}
 {{ rule }}