diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py
index c7f0639..ce6b0f3 100644
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@@ -122,6 +122,14 @@ nodes['htz.ex42-1048908'] = {
             'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
             'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
         },
+        'iptables': {
+            # TODO move to bundles
+            'custom_rules': [
+                'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh
+                'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat
+                'iptables_both -A INPUT -p tcp --dport 113 -j ACCEPT', # oidentd
+            ],
+        },
         'letsencrypt': {
             'concat_and_deploy': {
                 'kunsi-weechat': {