nixos/shill: Replicate port forwards for internal routing

nixos/boxes/colony/vms/shill/default.nix

@@ -1,7 +1,7 @@
 { lib, ... }:
 let
-  inherit (lib.my) net;
+  inherit (lib.my) net nft;
-  inherit (lib.my.c.colony) domain prefixes;
+  inherit (lib.my.c.colony) domain prefixes firewallForwards;
 in
 {
   imports = [ ./containers ];
@@ -151,6 +151,7 @@ in
               firewall = {
                 tcp.allowed = [ 19999 ];
                 trustedInterfaces = [ "ctrs" ];
+                nat.forwardPorts."${allAssignments.estuary.internal.ipv4.address}" = firewallForwards allAssignments;
                 extraRules = ''
                   table inet filter {
                     chain forward {
@@ -158,6 +159,17 @@ in
                       iifname vms oifname ctrs accept
                     }
                   }
+                  table inet nat {
+                    # Hack to fix our NAT situation with internal routing
+                    # We need to snat to our public IP, otherwise on the return path from e.g. middleman it will
+                    # try to forward packet directly with its own IP, bypassing our carefully crafted DNAT...
+                    chain ${nft.dnatChain allAssignments.estuary.internal.ipv4.address} {
+                      ct mark set 0x1337
+                    }
+                    chain postrouting {
+                      ct mark 0x1337 snat ip to ${assignments.internal.ipv4.address}
+                    }
+                  }
                 '';
               };