---
- name: Install iptables
  ansible.builtin.package:
    name:
      - iptables
      - iptables-persistent
    state: present


- name: Enable masquerading on egress interface
  ansible.builtin.iptables:
    table: nat
    chain: POSTROUTING
    out_interface: "{{ router_egress_interface }}"
    jump: MASQUERADE
  notify: Save iptables rules


- name: Allow incoming established connections from egress interface
  ansible.builtin.iptables:
    chain: FORWARD
    in_interface: "{{ router_egress_interface }}"
    out_interface: "{{ router_ingress_interface }}"
    ctstate: RELATED,ESTABLISHED
    jump: ACCEPT
  notify: Save iptables rules


- name: Forward traffic from ingress to egress interfaces
  ansible.builtin.iptables:
    chain: FORWARD
    in_interface: "{{ router_ingress_interface }}"
    out_interface: "{{ router_egress_interface }}"
    jump: ACCEPT
  notify: Save iptables rules


- name: Drop traffic not going over egress interface
  ansible.builtin.iptables:
    chain: FORWARD
    jump: DROP
  notify: Save iptables rules


- name: Enable IP forwarding
  ansible.posix.sysctl:
    name: net.ipv4.ip_forward
    value: '1'

- name: Disable IPv6
  ansible.posix.sysctl:
    name: net.ipv6.conf.all.disable_ipv6
    value: '1'