- tags:
    - ufw
  become: yes
  block:
    - when: ufw__nat_address is defined
      blockinfile:
        path: /etc/ufw/before.rules
        insertbefore: "^# Don't delete these required lines"
        content: |
          # NAT table rules
          *nat
          :POSTROUTING ACCEPT [0:0]

          # Forward traffic through eth0 - Change to match you out-interface
          -A POSTROUTING -s {{ ufw__nat_address }}/{{ ufw__nat_prefix }} -o eth0 -j MASQUERADE

          # don't delete the 'COMMIT' line or these nat table rules won't
          # be processed
          COMMIT

#    - ufw:
#        state: enabled

#    - ufw:
#        default: allow
#        direction: out

#    - ufw:
#        policy: deny
#        direction: out

#    - ufw:
#        policy: allow
#        direction: routed