ssh_tunnel/tasks/remote.yml

---
- name: Install required packages
  apt:
    name: socat
    state: present

- name: Ensure unprivileged ssh user exists
  user:
    name: "{{ ssh_tunnel_sshd_unprivileged_user }}"
    system: true
    state: present

- name: Set authorized_keys for unprivileged user
  template:
    src: remote/authorized_keys.j2
    dest: "{{ ssh_tunnel_remote_sshdir }}authorized_keys"
    owner: "{{ ssh_tunnel_sshd_unprivileged_user }}"
    mode: 0600

- name: Set sshd_config
  become: yes
  template:
    src: remote/sshd_config.j2
    dest: "{{ ssh_tunnel_sshd_conf_dir }}tunnel.conf"
    mode: 0644
    owner: root

- name: Enable IPv4 forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes

- name: Enable IPv6 forwarding
  sysctl:
    name: net.ipv6.conf.all.forwarding
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes

- name: Enable IPv4 local network forwarding
  sysctl:
    name: net.ipv4.conf.all.route_localnet
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes

- name: Install iptables-persistent
  apt:
    name: iptables-persistent
    update_cache: yes
    state: present

- name: Flush existing iptables entries (IPv4)
  become: yes
  iptables:
    ip_version: ipv4
    table: nat
    flush: yes

- name: Flush existing iptables entries (IPv6)
  become: yes
  iptables:
    ip_version: ipv6
    table: nat
    flush: yes

- name: Forward privileged ports to ephemeral localhost ports (IPv4, TCP)
  become: yes
  iptables:
    ip_version: ipv4
    table: nat
    chain: PREROUTING
    in_interface: eth0
    protocol: tcp
    destination_port: "{{ item.exposed_port }}"
    jump: DNAT
    to_destination: "127.0.0.1:{{ item.ephemeral_port }}"
  loop: "{{ remote_forward }}"
  when: "'tcp' in item.protocols"
  notify: persist iptables

- name: Forward privileged ports to ephemeral localhost ports (IPv6, TCP)
  become: yes
  iptables:
    ip_version: ipv6
    table: nat
    chain: PREROUTING
    in_interface: eth0
    protocol: tcp
    destination_port: "{{ item.exposed_port }}"
    jump: DNAT
    to_destination: "[::1]:{{ item.ephemeral_port }}"
  loop: "{{ remote_forward }}"
  when: "'tcp' in item.protocols"
  notify: persist iptables