From c91f34e0b4ae57fc89df9f518a5d1259b4c2a8de Mon Sep 17 00:00:00 2001
From: "Philip (a-0)" <@ph:a-0.me>
Date: Mon, 9 Jan 2023 13:32:32 +0100
Subject: [PATCH] Added LocalForward

---
 README.md                     | 11 +++++++++--
 tasks/remote.yml              |  4 ++--
 templates/local/ssh_config.j2 |  5 ++++-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index ca31441..b92249f 100644
--- a/README.md
+++ b/README.md
@@ -4,12 +4,19 @@ An ansible role to set up an ssh tunnel and port forwardings from the remote mac
 ... e.g. in `group_vars`
 - `ssh_tunnel_pubkey`: The complete line to be used in `authorized_keys`, e.g. "ssh-ed25519 AAAA[...]aU root@mylocalmachine"
 - `ssh_tunnel_privkey`: The content of the corresponding private key file, including the BEGIN and END tags. It is highly recommended to put this inside an encrypted ansible vault.
-- `tunneled_ports`: A list of port forwardings. Example:
+- `remote_forward`: The list of port forwardings *from* the remote server *to* some local machine. Example:
   ```
-  tunneled_ports:
+  remote_forward:
   - exposed_port: 80 # public port at the remote machine
     ephemeral_port: 10080 # internal port at remote machine's localhost address. The ssh tunnel will fetch traffic from there
     dest_host: my-internal-http-server.local.domain.tld # domain or IP address of the destination machine. Must be reachable form the local machine.
     dest_port: 80 # open port at the destination machine
     protocols: ["tcp"] # list of protocols for this forwarding. "tcp" and "udp" are supported.
   ```
+- `local_forward`: The list of port forwardings *from* the local machine *to* the remote machine. Example:
+  ```
+  local_forward:
+  - local_port: 1234 # port bound on local machine, IP is automatically queried as A-record of inventory_hostname
+    remote_host: the-remote-server.domain.tld # remote server to forward to
+    remote_port: the remote machine's port to forward the traffic to
+  ```
\ No newline at end of file
diff --git a/tasks/remote.yml b/tasks/remote.yml
index 0f9b440..30ee68f 100644
--- a/tasks/remote.yml
+++ b/tasks/remote.yml
@@ -80,7 +80,7 @@
     destination_port: "{{ item.exposed_port }}"
     jump: DNAT
     to_destination: "127.0.0.1:{{ item.ephemeral_port }}"
-  loop: "{{ tunneled_ports }}"
+  loop: "{{ remote_forward }}"
   when: "'tcp' in item.protocols"
   notify: persist iptables
 
@@ -95,6 +95,6 @@
     destination_port: "{{ item.exposed_port }}"
     jump: DNAT
     to_destination: "[::1]:{{ item.ephemeral_port }}"
-  loop: "{{ tunneled_ports }}"
+  loop: "{{ remote_forward }}"
   when: "'tcp' in item.protocols"
   notify: persist iptables
diff --git a/templates/local/ssh_config.j2 b/templates/local/ssh_config.j2
index ce3c93a..141fa37 100644
--- a/templates/local/ssh_config.j2
+++ b/templates/local/ssh_config.j2
@@ -7,6 +7,9 @@ Host gateway
         ExitOnForwardFailure yes
         ServerAliveInterval 5
         ServerAliveCountMax 3
-{% for forwarding in tunneled_ports %}
+{% for forwarding in remote_forward %}
         RemoteForward localhost:{{ forwarding.ephemeral_port }} {{ forwarding.dest_host }}:{{ forwarding.dest_port }}
+{% endfor %}
+{% for forwarding in local_forward %}
+        LocalForward {{ query('community.general.dig', inventory_hostname, 'qtype=A') | first }}:{{ forwarding.local_port }} {{ forwarding.remote_host }}:{{ forwarding.remote_port }}
 {% endfor %}
\ No newline at end of file