router0-dmz0: expose a DMZ host

nix/os/devices/router0-dmz0/configuration.nix

@@ -173,9 +173,26 @@ in {
     # https://github.com/thelegy/nixos-nftables-firewall/tree/main
 
     # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority)
-    nftables = {
+    nftables =
+    {
       enable = true;
       stopRuleset = "";
+
+      chains = {
+        prerouting = {
+          "redirectweb" = {
+            after = ["hook"];
+            rules = let
+              wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
+              exposedHost = "192.168.22.121";
+             in [
+              "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
+              "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
+            ];
+          };
+        };
+      };
+
       firewall = {
         enable = true;
         zones = {
@@ -260,6 +277,12 @@ in {
             verdict = "accept";
           };
 
+          wan-to-dmz = {
+            from = ["wan"];
+            to = ["dmz"];
+            verdict = "accept";
+          };
+
           wan-to-fw = {
             from = ["wan"];
             to = ["fw"];
@@ -740,8 +763,9 @@ in {
       proxy-dnssec = true;
       conntrack = true;
 
-      log-debug = true;
-      log-queries = true;
+      # enable for debugging
+      # log-debug = true;
+      # log-queries = true;
 
       # disable negative caching
       no-negcache = true;