From 8424b3211bb5fd01df3a8fb9ba6c41f4def5d6ce Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Thu, 28 Mar 2024 23:30:24 +0000
Subject: [PATCH] Allow `ingress` to serve as tailscale exit node

---
 ansible/roles/ingress/files/nftables.conf | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ansible/roles/ingress/files/nftables.conf b/ansible/roles/ingress/files/nftables.conf
index 9b348c1..3169ead 100644
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@@ -30,7 +30,7 @@ table inet filter {
 
         # NAT - because the proxmox machines may not have routes back
         ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
-        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+        ip saddr {{ tailscale_cidr }} counter masquerade
     }
 
     chain FORWARD {
@@ -44,8 +44,9 @@ table inet filter {
         # Allow monitoring of nebula network
         ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
 
-        # Allow traffic from Tailscale to proxmox network
-        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
-        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept
+        # Allow Tailscale exit node
+        ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
+        ip saddr {{ tailscale_cidr }} accept
+        ip daddr {{ tailscale_cidr }} ct state related,established accept
     }
 }