#!/usr/bin/env bash
set -euo pipefail

# Ensure forwarding is on
sysctl -w net.ipv4.ip_forward=1 >/dev/null

# Bring up WireGuard. wg0.conf must define Address=10.66.0.1/24 etc.
ip link add dev wg0 type wireguard || true
wg-quick up wg0

# Tor transparent proxy ports in THIS namespace (shared with tor service)
TOR_TRANS=9040
TOR_DNS=5353

# Flush any old rules
iptables -t nat -F || true
iptables -t mangle -F || true
iptables -F || true

# Default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Allow WireGuard UDP port 51820
iptables -A INPUT -p udp --dport 51820 -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# FORWARD: allow from wg0 to local stack (tor) and back
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# === Transparent redirection of wg0 traffic into Tor ===

# DNS: redirect all DNS from wg clients to Tor DNSPort (supports TCP & UDP)
iptables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j REDIRECT --to-ports ${TOR_DNS}
iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 53 -j REDIRECT --to-ports ${TOR_DNS}

# TCP: redirect everything to Tor TransPort
iptables -t nat -A PREROUTING -i wg0 -p tcp -j REDIRECT --to-ports ${TOR_TRANS}

# Drop any UDP trying to escape (Tor can't carry UDP; better to fail closed)
iptables -A FORWARD -i wg0 -p udp -j REJECT --reject-with icmp-port-unreachable

# (Optional) prevent bypass: block direct internet from wg0 that is NOT redirected (belt & braces)
# For non-TCP/UDP, just drop
iptables -A FORWARD -i wg0 -p icmp -j REJECT --reject-with icmp-host-unreachable
iptables -A FORWARD -i wg0 -p all -j DROP

# Health: show status then sleep forever
echo "===== WireGuard status ====="
wg show
echo "===== IP addresses ====="
ip addr
echo "===== iptables (nat) ====="
iptables -t nat -S
echo "===== iptables (filter) ====="
iptables -S

# Daemonize to keep container alive
tail -f /dev/null