# Generated by Ansible
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# MSS clamping
{% if peers is defined %}{%for peer in peers %}
-A POSTROUTING -o {{ peer.name }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1280
{%endfor%}{% endif %}
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT
{% if nat_ipv4 is defined and peers is defined %}{%for peer in peers %}
-A POSTROUTING -s {{ ipv4_network }} -o {{ peer.name }} -j SNAT --to-source {{ nat_ipv4|ipaddr('address') }}
{%endfor%}{% endif %}
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Drop bogus
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Fastd over mesh verbieten
-A INPUT -s {{ ipv4_network }} -p udp -m udp --dport 10000 -m limit --limit 2/sec -j LOG --log-prefix "fastd over mesh: "
-A INPUT -s {{ ipv4_network }} -p udp -m udp --dport 10000 -j REJECT --reject-with icmp-admin-prohibited
# Drop invalid
-A FORWARD -m state --state INVALID -j DROP
# Fastd over mesh verbieten
-A FORWARD -s {{ ipv4_network }} -p udp -m udp --dport 10000 -m limit --limit 2/sec -j LOG --log-prefix "fastd over mesh: "
-A FORWARD -s {{ ipv4_network }} -p udp -m udp --dport 10000 -j REJECT --reject-with icmp-admin-prohibited
COMMIT