---
- name: Aktiviere IPv4 Forwarding (Kernel)
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    sysctl_set: yes
    state: present
    reload: yes

- name: Installiere iptables-persistent
  apt:
    name: iptables-persistent
    state: present

- name: Spüle existierende IPTables Regeln
  iptables:
    chain: "{{ item }}"
    flush: yes
  loop:
    - INPUT
    - FORWARD
    - OUTPUT

- name: Ermittle WAN Interface
  shell: ip route show default | awk '/default/ {print $5}'
  register: wan_interface
  changed_when: false

- name: Aktiviere Masquerading (NAT) auf dem WAN Interface
  iptables:
    table: nat
    chain: POSTROUTING
    out_interface: "{{ wan_interface.stdout }}"
    jump: MASQUERADE

- name: Erlaube Forwarding für internes Netz (10.10.0.0/16)
  iptables:
    chain: FORWARD
    source: 10.10.0.0/16
    destination: 10.10.0.0/16
    jump: ACCEPT

- name: Erlaube Forwarding von Intern ins Internet (Established)
  iptables:
    chain: FORWARD
    ctstate: ESTABLISHED,RELATED
    jump: ACCEPT

- name: Erlaube Forwarding von Intern ins Internet (New)
  iptables:
    chain: FORWARD
    source: 10.10.0.0/16
    out_interface: "{{ wan_interface.stdout }}"
    jump: ACCEPT

- name: Speichere IPTables Regeln dauerhaft
  shell: netfilter-persistent save