From 363af73e5777fa2392ed7f07cba7988b7542d81b Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Tue, 15 Aug 2023 12:11:22 -0700
Subject: [PATCH] iptables / staging: fix the actual used template

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/base/templates/iptables/iptables.staging | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/roles/base/templates/iptables/iptables.staging b/roles/base/templates/iptables/iptables.staging
index b5f54cf43b..88a924d68b 100644
--- a/roles/base/templates/iptables/iptables.staging
+++ b/roles/base/templates/iptables/iptables.staging
@@ -14,11 +14,9 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
-# if the blocked_ips is defined - drop them
-{% if blocked_ips is defined %}
-{% for ip in blocked_ips %}
--A INPUT -s {{ ip }} -j DROP
-{% endfor %}
+# if the host is external, block some ips
+{% if external == 'true' %}
+-A INPUT -p all -m set --match-set blocklist src -j REJECT
 {% endif %}
 
 # allow ssh - always