From 13c6405b86e0bd0b5f8ca9adb2615b089465530d Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Sat, 20 Jan 2018 18:43:19 +0100
Subject: [PATCH] upstream, mgmt-gw: ip{,6}tables -i lo -j ACCEPT

---
 salt/firewall/mgmt-gw.sh | 3 +++
 salt/upstream/iptables   | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/salt/firewall/mgmt-gw.sh b/salt/firewall/mgmt-gw.sh
index 743a3c7..fac0928 100644
--- a/salt/firewall/mgmt-gw.sh
+++ b/salt/firewall/mgmt-gw.sh
@@ -9,6 +9,9 @@ if [ "$IFACE" = "{{ interface }}" ]; then
     ip6tables -P FORWARD DROP
     iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
     ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
+    # loopback
+    iptables -A FORWARD -i lo -j ACCEPT
+    ip6tables -A FORWARD -i lo -j ACCEPT
     # DNS
     iptables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
     ip6tables -A FORWARD -i $IFACE -p udp --dport 53 -j ACCEPT
diff --git a/salt/upstream/iptables b/salt/upstream/iptables
index 47100d7..1f3801c 100644
--- a/salt/upstream/iptables
+++ b/salt/upstream/iptables
@@ -2,8 +2,15 @@
 
 export PATH=/sbin:/bin:/usr/sbin:/usr/bin
 
+if [ "$IFACE" = "lo" ]; then
+   iptables -I INPUT -i lo -j ACCEPT
+   ip6tables -I INPUT -i lo -j ACCEPT
+fi
 if [ "$IFACE" = "{{ interface }}" ]; then
    iptables -A INPUT -i "$IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
+   ip6tables -A INPUT -i "$IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i "$IFACE" -j DROP
+   ip6tables -A INPUT -i "$IFACE" -j DROP
    iptables -P INPUT ACCEPT
+   ip6tables -P INPUT ACCEPT
 fi