From 71c05309b3b65870b46146f8fb0155592232ac49 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 8 Jan 2022 21:23:05 +0100
Subject: simple nftables setup for ch-gw-lan

---
 chaos-at-home/ch-gw-lan.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'chaos-at-home')

diff --git a/chaos-at-home/ch-gw-lan.yml b/chaos-at-home/ch-gw-lan.yml
index 5e76e90a..64e1c8b8 100644
--- a/chaos-at-home/ch-gw-lan.yml
+++ b/chaos-at-home/ch-gw-lan.yml
@@ -8,7 +8,28 @@
   - role: core/zsh
   - role: core/ntp
   - role: network/dhcp-server
+  - role: network/nftables/base
   post_tasks:
+  - name: install public service nftable rules
+    copy:
+      content: |
+        # Ansible managed
+
+        define nic_lan = lan0
+        define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }}
+
+        table ip nat {
+          chain prerouting {
+            type nat hook prerouting priority -100; policy accept;
+            iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
+        {% for name, svc in network_services.items() %}
+            iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
+        {% endfor %}
+          }
+        }
+      dest: /etc/nftables.d/public-services.nft
+    notify: reload nftables
+
   - name: install etherwake
     apt:
       name: etherwake
-- 
cgit v1.2.3