--- - name: Install required packages apt: name: socat state: present - name: Ensure unprivileged ssh user exists user: name: "{{ ssh_tunnel_sshd_unprivileged_user }}" system: true state: present - name: Set authorized_keys for unprivileged user template: src: remote/authorized_keys.j2 dest: "{{ ssh_tunnel_remote_sshdir }}authorized_keys" owner: "{{ ssh_tunnel_sshd_unprivileged_user }}" mode: 0600 - name: Set sshd_config become: yes template: src: remote/sshd_config.j2 dest: "{{ ssh_tunnel_sshd_conf_dir }}tunnel.conf" mode: 0644 owner: root - name: Enable IPv4 forwarding sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: yes state: present reload: yes - name: Enable IPv6 forwarding sysctl: name: net.ipv6.conf.all.forwarding value: '1' sysctl_set: yes state: present reload: yes - name: Enable IPv4 local network forwarding sysctl: name: net.ipv4.conf.all.route_localnet value: '1' sysctl_set: yes state: present reload: yes - name: Install iptables-persistent apt: name: iptables-persistent update_cache: yes state: present - name: Flush existing iptables entries (IPv4) become: yes iptables: ip_version: ipv4 table: nat flush: yes - name: Flush existing iptables entries (IPv6) become: yes iptables: ip_version: ipv6 table: nat flush: yes - name: Forward privileged ports to ephemeral localhost ports (IPv4, TCP) become: yes iptables: ip_version: ipv4 table: nat chain: PREROUTING in_interface: eth0 protocol: tcp destination_port: "{{ item.exposed_port }}" jump: DNAT to_destination: "127.0.0.1:{{ item.ephemeral_port }}" loop: "{{ remote_forward }}" when: "'tcp' in item.protocols" notify: persist iptables - name: Forward privileged ports to ephemeral localhost ports (IPv6, TCP) become: yes iptables: ip_version: ipv6 table: nat chain: PREROUTING in_interface: eth0 protocol: tcp destination_port: "{{ item.exposed_port }}" jump: DNAT to_destination: "[::1]:{{ item.ephemeral_port }}" loop: "{{ remote_forward }}" when: "'tcp' in item.protocols" notify: persist iptables