From 2b7a57407471c2ad94f2ee5f78e231820d3a4d0d Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 15 Jul 2019 17:16:57 +0200
Subject: fix firewall of router (allow ssh from internal nets)

---
 inventory/host_vars/ch-router.yml | 1 +
 1 file changed, 1 insertion(+)

(limited to 'inventory/host_vars/ch-router.yml')

diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index c3df8e2b..5394c4d6 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -85,6 +85,7 @@ openwrt_mixin:
         ## LAN Traffic
         #
         iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s 192.168.0.0/16 -j ACCEPT
+        iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT
         iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
         iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s 192.168.0.0/16 -j ACCEPT
         iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-- 
cgit v1.2.3