From 655a917dd277e67a83744600f1513b187d846807 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Mon, 27 Mar 2017 00:04:46 -0400
Subject: [PATCH] iptables filter table fix (#285)

---
 roles/vpn/tasks/ubuntu.yml      | 15 ---------------
 roles/vpn/templates/rules.v4.j2 |  1 +
 roles/vpn/templates/rules.v6.j2 |  1 +
 3 files changed, 2 insertions(+), 15 deletions(-)

diff --git a/roles/vpn/tasks/ubuntu.yml b/roles/vpn/tasks/ubuntu.yml
index d00896f..dbd459f 100644
--- a/roles/vpn/tasks/ubuntu.yml
+++ b/roles/vpn/tasks/ubuntu.yml
@@ -24,21 +24,6 @@
     - strongswan
     - netfilter-persistent
 
-- name: Ubuntu | Configure iptables so IPSec traffic can traverse the tunnel
-  iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE
-  when: (security_enabled is not defined) or
-        (security_enabled is defined and security_enabled != "y")
-  notify:
-    - save iptables
-
-- name: Ubuntu | Configure ip6tables so IPSec traffic can traverse the tunnel
-  iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
-  when: ((security_enabled is not defined) or
-        (security_enabled is defined and security_enabled != "y")) and
-        ipv6_support is defined and ipv6_support == "yes"
-  notify:
-    - save iptables
-
 - name: Ubuntu | Ensure that the strongswan service directory exist
   file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755  owner=root group=root
 
diff --git a/roles/vpn/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2
index 77fa27b..5ced4ee 100644
--- a/roles/vpn/templates/rules.v4.j2
+++ b/roles/vpn/templates/rules.v4.j2
@@ -41,3 +41,4 @@ COMMIT
 -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
 -A FORWARD -m conntrack --ctstate NEW -s {{ vpn_network }} -m policy --pol ipsec --dir in -j ACCEPT
 COMMIT
+
diff --git a/roles/vpn/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2
index fffd366..0eda48f 100644
--- a/roles/vpn/templates/rules.v6.j2
+++ b/roles/vpn/templates/rules.v6.j2
@@ -55,3 +55,4 @@ COMMIT
 -A ICMPV6-CHECK-LOG -j LOG --log-prefix "ICMPV6-CHECK-LOG DROP "
 -A ICMPV6-CHECK-LOG -j DROP
 COMMIT
+