From 0b2eb8d752c5229e50663226be897f8ef8bfa013 Mon Sep 17 00:00:00 2001
From: Egor Tensin <Egor.Tensin@gmail.com>
Date: Tue, 8 Aug 2023 22:38:33 +0200
Subject: wireguard: optionally set iptables rules

---
 roles/wireguard/defaults/main.yml  |  1 +
 roles/wireguard/templates/wg0.conf | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
index 67964a5..9f7733a 100644
--- a/roles/wireguard/defaults/main.yml
+++ b/roles/wireguard/defaults/main.yml
@@ -1,2 +1,3 @@
 wg_name: wg0
 wg_listen_port: 51280
+wg_firewall: false
diff --git a/roles/wireguard/templates/wg0.conf b/roles/wireguard/templates/wg0.conf
index 1d6140c..aff1300 100644
--- a/roles/wireguard/templates/wg0.conf
+++ b/roles/wireguard/templates/wg0.conf
@@ -3,6 +3,17 @@ PrivateKey = {{ wg_private_key }}
 Address = {{ wg_addr4 }}, {{ wg_addr6 }}
 ListenPort = {{ wg_listen_port }}
 SaveConfig = false
+
+{% if wg_firewall %}
+PostUp = iptables -t nat -A POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE
+PostUp = iptables -A FORWARD -s {{ wg_addr4 }} -j ACCEPT
+PostUp = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE
+PostUp = ip6tables -A FORWARD -s {{ wg_addr6 }} -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE
+PostDown = iptables -D FORWARD -s {{ wg_addr4 }} -j ACCEPT
+PostDown = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE
+PostDown = ip6tables -D FORWARD -s {{ wg_addr6 }} -j ACCEPT
+{% endif %}
 {% if wg_peers is defined %}
 {% for peer in wg_peers %}
 
-- 
cgit v1.2.3