following ~iptables(8)~ rules are added. They are very similar to the
~nat~ and ~filter~ table rules used by a small institute to masquerade
its ~lan~ to its ~isp~ (see the [[file:Institute/README.org::*UFW Rules][UFW Rules]] of a Small Institute).
+The campus WireGuard™ subnet is not included because the campus Wi-Fi
+hosts should be routing to the wild subnet directly and are assumed to
+be masquerading as their access point(s).
#+NAME: iot-nat
#+CAPTION: ~iot-nat~
#+BEGIN_SRC conf
-A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE
-A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
--A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE
#+END_SRC
#+NAME: iot-forward
*nat
-A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE
-A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
- -A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE
COMMIT
dest: /etc/ufw/before.rules
marker: "# {mark} ABBEY MANAGED BLOCK"