From 36cd84ab1ba40e7e5a960e7c6c01062a93046582 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 9 Apr 2013 19:04:13 +0200
Subject: [PATCH] nat out of vpn

---
 modules/ferm/manifests/per-host.pp | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 7fd1a4eab..3ab8f4ce5 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -145,6 +145,29 @@ class ferm::per-host {
 				description     => 'Allow ldaps access',
 				rule            => '&SERVICE(tcp, 636)'
 			}
+			@ferm::rule { 'dsa-vpn':
+				description     => 'Allow openvpn access',
+				rule            => '&SERVICE(udp, 17257)'
+			}
+			@ferm::rule { 'dsa-routing':
+				description     => 'forward chain',
+				chain           => 'FORWARD',
+				rule            => 'policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface tun+ ACCEPT;
+REJECT reject-with icmp-admin-prohibited
+'
+			}
+			@ferm::rule { 'dsa-vpn-mark':
+				table           => 'mangle',
+				chain           => 'PREROUTING',
+				rule            => 'interface tun+ MARK set-mark 1',
+			}
+			@ferm::rule { 'dsa-vpn-nat':
+				table           => 'nat',
+				chain           => 'POSTROUTING',
+				rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
+			}
 		}
 		cilea: {
 			ferm::module { 'nf_conntrack_sip': }
-- 
2.20.1