diff options
author | Lars Wirzenius <liw@liw.fi> | 2016-09-06 16:41:22 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2016-09-06 16:41:22 +0300 |
commit | a261ce1981a9d4700883fe2f6cd977661707dcc3 (patch) | |
tree | 8a4c83138a957acb848a69f2e2afb66de14e2d4d /ansible/roles/router/files/ferm.conf | |
parent | e26cc6ac07646ca96d166f875e93bfc55dda6517 (diff) | |
download | minipc-router-a261ce1981a9d4700883fe2f6cd977661707dcc3.tar.gz |
Re-enable ferm with minimal NAT/MASQUERADE config
Diffstat (limited to 'ansible/roles/router/files/ferm.conf')
-rw-r--r-- | ansible/roles/router/files/ferm.conf | 41 |
1 files changed, 3 insertions, 38 deletions
diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf index c1bd652..1867e84 100644 --- a/ansible/roles/router/files/ferm.conf +++ b/ansible/roles/router/files/ferm.conf @@ -13,46 +13,11 @@ @def $NET_PRIVATE = 10.0.0.0/16; table filter { - chain INPUT { - policy DROP; - - # connection tracking - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # allow local connections - interface lo ACCEPT; - - # respond to ping - proto icmp icmp-type echo-request ACCEPT; - - # allow SSH connections from the private network and all - # Internet hosts. We do not want to restrict ssh to only a - # small number of "well known" hosts, since there's often a - # need to connect from net cafes and customer sites. - proto tcp dport ssh ACCEPT; - } - - # outgoing connections are not limited + chain INPUT policy ACCEPT; chain OUTPUT policy ACCEPT; - - chain FORWARD { - policy DROP; - - # connection tracking - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # connections from the internal net to the internet or to other - # internal nets are allowed - interface $DEV_PRIVATE ACCEPT; - } + chain FORWARD policy ACCEPT; } table nat { - chain POSTROUTING { - # masquerade private IP addresses -# saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE; - MASQUERADE; - } + chain POSTROUTING MASQUERADE; } |