*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
{%- for pub_port in salt['pillar.get']('public_ports') %}
-A INPUT -p {{ pub_port.proto }} -m {{ pub_port.proto }} --dport {{ pub_port.port }} -j ACCEPT
{%- endfor %}
{%- for net in salt['pillar.get']('ipv4_networks') %}
-A INPUT -s {{ net.ip }}/{{ net.mask }} -j ACCEPT
{%- endfor %}
-A INPUT -j LOG
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{%- for net in salt['pillar.get']('nats') %}
-A POSTROUTING -s {{ net.ip }}/{{ net.mask }} -j MASQUERADE
{%- endfor %}
COMMIT