From: Matt Birkholz Date: Thu, 18 Sep 2025 23:41:06 +0000 (-0600) Subject: Eliminate unused masquerading rule. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=ba5889ae0aea46f9bed8c8dd11b5cd94a36fc45f;p=Network.git Eliminate unused masquerading rule. --- diff --git a/README.org b/README.org index cb9c233..bb949e1 100644 --- a/README.org +++ b/README.org @@ -1496,13 +1496,15 @@ To allow masquerading between the private subnets and ~wild~, the following ~iptables(8)~ rules are added. They are very similar to the ~nat~ and ~filter~ table rules used by a small institute to masquerade its ~lan~ to its ~isp~ (see the [[file:Institute/README.org::*UFW Rules][UFW Rules]] of a Small Institute). +The campus WireGuard™ subnet is not included because the campus Wi-Fi +hosts should be routing to the wild subnet directly and are assumed to +be masquerading as their access point(s). #+NAME: iot-nat #+CAPTION: ~iot-nat~ #+BEGIN_SRC conf -A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE --A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE #+END_SRC #+NAME: iot-forward diff --git a/roles_t/abbey-gate/tasks/main.yml b/roles_t/abbey-gate/tasks/main.yml index a05c12c..d045e74 100644 --- a/roles_t/abbey-gate/tasks/main.yml +++ b/roles_t/abbey-gate/tasks/main.yml @@ -6,7 +6,6 @@ *nat -A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE - -A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE COMMIT dest: /etc/ufw/before.rules marker: "# {mark} ABBEY MANAGED BLOCK"