add simple handling for nftable rulesets in base role

1 files changed, 23 insertions, 0 deletions

diff --git a/inventory/host_vars/ch-gw-lan.yml b/inventory/host_vars/ch-gw-lan.yml
index 4637f04e..2aa27ab0 100644
--- a/inventory/host_vars/ch-gw-lan.yml
+++ b/inventory/host_vars/ch-gw-lan.yml
@@ -47,3 +47,26 @@ dhcp_server_interfaces:
     limit: "{{ network_zones.lan.dhcp.limit }}"
     domain: "{{ host_domain }}"
     dns: "{{ network_zones.lan.dns }}"
+
+
+nftables_base_rules:
+  public-services: |
+    define nic_lan = lan0
+    define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }}
+
+    table ip nat {
+      chain public-services-prerouting {
+        type nat hook prerouting priority -100; policy accept;
+        iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
+    {% for name, svc in network_services.items() %}
+        iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
+    {% endfor %}
+      }
+      chain public-services-output {
+        type nat hook output priority -100; policy accept;
+        ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
+    {% for name, svc in network_services.items() %}
+        ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
+    {% endfor %}
+      }
+    }