From d5ce7a014e9a49e357f4049480a092df028f0a43 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Thu, 8 Feb 2018 15:29:38 +0000
Subject: [PATCH] Add nat-rules

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 inventory/host_vars/pagure-proxy01.fedoraproject.org |  2 +-
 roles/base/templates/iptables/iptables               | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/inventory/host_vars/pagure-proxy01.fedoraproject.org b/inventory/host_vars/pagure-proxy01.fedoraproject.org
index de9dda3f3c..9eba1ec977 100644
--- a/inventory/host_vars/pagure-proxy01.fedoraproject.org
+++ b/inventory/host_vars/pagure-proxy01.fedoraproject.org
@@ -3,7 +3,7 @@ nm: 255.255.255.128
 gw: 152.19.134.129
 dns: 8.8.8.8
 
-custom_rules: [
+nat_rules: [
 	'-t nat -A PREROUTING --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22',
 	'-t nat -A POSTROUTING -p tcp --dst 140.211.169.204 --dport 22 -j SNAT --to-source 152.19.134.147',
 	'-t nat -A OUTPUT --dst 152.19.134.147 -p tcp --dport 22 -j DNAT --to-destination 140.211.169.204:22']
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 0e2f4178ce..7efd6202cc 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -110,3 +110,14 @@
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT
+
+{%- if nat_rules %}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+{% for rule in nat_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}