fix: https forward rule fixed not to persist the whole nat table (#7)

homecentr · Feb 25, 2024 · 32a941b · 32a941b
1 parent 316e6e8
commit 32a941b
Showing 1 changed file with 21 additions and 6 deletions.
diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml
@@ -10,12 +10,25 @@
     comment: "Enable Proxmox admin interface on 443"
     in_interface: vmbr0 # Must be specified to prevent docker containers calling 443 to be redirected to local
 
+- name: "Get serialized rule for permanent storage"
+  register: pve_https_forward_iptables_rule
+  changed_when: false
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: |
+      set -o pipefail
+      iptables-save -t nat | grep 'Proxmox'
+
 - name: "Save iptables state to a file"
-  community.general.iptables_state:
-    ip_version: ipv4
-    table: nat
-    state: saved
-    path: /etc/iptables/nat.rules.v4
+  ansible.builtin.copy:
+    dest: /etc/iptables/nat.rules.v4
+    owner: root
+    group: root
+    mode: "0644"
+    content: |
+      *nat
+      {{ pve_https_forward_iptables_rule.stdout_lines[0] }}
+      COMMIT
 
 - name: "Create iptables restore script"
   ansible.builtin.copy:
@@ -25,4 +38,6 @@
     group: root
     content: |
       #!/bin/sh
-      iptables-restore < /etc/iptables/nat.rules.v4
+      iptables-restore -n < /etc/iptables/nat.rules.v4
+      # Avoid duplicate rules
+      iptables-save | uniq | iptables-restore