networking.firewall.enable = true;
networking.firewall.trustedInterfaces = ["tailscale0"];
networking.firewall.allowedTCPPorts = [22 9999];
networking.nftables = {
  enable = true;
  tables."proxySSH" = {
    family = "inet";
    content = ''
      chain prerouting {
         type nat hook prerouting priority -100; policy accept;
         # forward port 22 to backend
         iifname "eth0" tcp dport 22 dnat ip to 100.x.x.x
       }
       chain postrouting {
         type nat hook postrouting priority 100; policy accept;
         # masquerade to public internet and tailnet
         oifname "eth0" masquerade
         oifname "tailscale0" masquerade
       }

       chain forward {
         type filter hook forward priority 0; policy drop;
         # allow forwarded traffic coming from tailnet heading to public internet
         iifname "tailscale0" oifname "eth0" accept
         # allow expected replies from internet to tailscale traffic
         iifname "eth0" oifname "tailscale0" ct state {established, related} accept
         # allow forwarded traffic from public net to our proxied ssh node
         iifname "eth0" oifname "tailscale0" tcp dport 22 counter accept comment "accept ssh"
       }
    '';
  };