ufw: Adding reload and port forwardings (wip).

1 files changed, 18 insertions, 6 deletions

diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
index b372eb7..0579f0a 100644
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -2,20 +2,32 @@
     - ufw
   become: yes
   block:
-    - when: ufw__nat_address is defined
+    - when: 
+      notify: ufw reload
       blockinfile:
         path: /etc/ufw/before.rules
         insertbefore: "^# Don't delete these required lines"
+        marker: "# NAT config: {mark}"
+        state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}"
         content: |
-          # NAT table rules
           *nat
           :POSTROUTING ACCEPT [0:0]
-
-          # Forward traffic through eth0 - Change to match you out-interface
           -A POSTROUTING -s {{ ufw__nat_address }}/{{ ufw__nat_prefix }} -o eth0 -j MASQUERADE
+          COMMIT
 
-          # don't delete the 'COMMIT' line or these nat table rules won't
-          # be processed
+    - notify: ufw reload
+      vars:
+        forwardings: "{{ ufw__port_forwardings if ufw__port_forwardings is defined else [] }}"
+      blockinfile:
+        path: /etc/ufw/before.rules
+        insertbefore: "^# Don't delete these required lines"
+        marker: "# Port forwarding: {mark}"
+        state: "{{ 'present' if ufw__port_forwardings is defined else 'absent' }}"
+        content: |
+          *nat
+          {% for pf in forwardings %}
+          -A PREROUTING -i eth0 {{ " -d" + pf.addr if pf.addr is defined else "" }} -p {{ pf.proto if pf.proto is defined else "tcp" }} --dport {{ pf.port }} -j DNAT --to-destination {{ pf.to }}:{{ pf.to_port if pf.to_port is defined else pf.port }}
+          {% endfor %}
           COMMIT
 
     - ufw: