---
# NAT Gateway Configuration
# Enables internet access for private network clients via edge server

- name: Enable IP forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    state: present
    reload: yes
  tags: [nat, gateway]

- name: Install iptables-persistent
  apt:
    name: iptables-persistent
    state: present
    update_cache: yes
  tags: [nat, gateway]

- name: Configure NAT (masquerading) for private network
  iptables:
    table: nat
    chain: POSTROUTING
    out_interface: eth0
    source: 10.0.0.0/16
    jump: MASQUERADE
    comment: NAT for private network clients
  notify: Save iptables rules
  tags: [nat, gateway]

- name: Allow forwarding from private network (in DOCKER-USER chain)
  iptables:
    chain: DOCKER-USER
    in_interface: enp7s0
    out_interface: eth0
    source: 10.0.0.0/16
    jump: ACCEPT
    comment: Allow forwarding from private network
  notify: Save iptables rules
  tags: [nat, gateway]

- name: Allow established connections back to private network (in DOCKER-USER chain)
  iptables:
    chain: DOCKER-USER
    in_interface: eth0
    out_interface: enp7s0
    ctstate: ESTABLISHED,RELATED
    jump: ACCEPT
    comment: Allow established connections to private network
  notify: Save iptables rules
  tags: [nat, gateway]

- name: Return from DOCKER-USER chain for other traffic
  iptables:
    chain: DOCKER-USER
    jump: RETURN
    comment: Let Docker handle other traffic
  notify: Save iptables rules
  tags: [nat, gateway]

- name: Save iptables rules
  shell: |
    iptables-save > /etc/iptables/rules.v4
  args:
    creates: /etc/iptables/rules.v4
  tags: [nat, gateway]