#!/usr/bin/env bash

{{ ansible_managed | comment('plain') }}

set -xeu

WG_INTERFACE=$1

iptables $2 FORWARD -i $WG_INTERFACE -j ACCEPT
iptables $2 FORWARD -o $WG_INTERFACE -j ACCEPT
iptables -t nat $2 POSTROUTING -o {{ ansible_facts.default_ipv4.interface }} -j MASQUERADE

{% if (install_wireguard__forward_tcp_ports is defined) and install_wireguard__forward_tcp_ports %}
for TCP_PORT in {{ install_wireguard__forward_tcp_ports | join(" ") }}; do
    iptables $2 FORWARD -i {{ ansible_facts.default_ipv4.interface }} -o $WG_INTERFACE -p tcp --syn --dport $TCP_PORT -m conntrack --ctstate NEW -j ACCEPT
    iptables -t nat $2 PREROUTING -i {{ ansible_facts.default_ipv4.interface }} -p tcp --dport $TCP_PORT -j DNAT --to-destination {{ install_wireguard__peer_ip }}
    iptables -t nat $2 POSTROUTING -o $WG_INTERFACE -p tcp --dport $TCP_PORT -d {{ install_wireguard__peer_ip }} -j SNAT --to-source {{ install_wireguard__server_ip }}
done
{% endif %}

{% if (install_wireguard__forward_udp_ports is defined) and install_wireguard__forward_udp_ports %}
for UDP_PORT in {{ install_wireguard__forward_udp_ports | join(" ") }}; do
    iptables $2 FORWARD -i {{ ansible_facts.default_ipv4.interface }} -o $WG_INTERFACE -p udp --dport $UDP_PORT -m conntrack --ctstate NEW -j ACCEPT
    iptables -t nat $2 PREROUTING -i {{ ansible_facts.default_ipv4.interface }} -p udp --dport $UDP_PORT -j DNAT --to-destination {{ install_wireguard__peer_ip }}
    iptables -t nat $2 POSTROUTING -o $WG_INTERFACE -p udp --dport $UDP_PORT -d {{ install_wireguard__peer_ip }} -j SNAT --to-source {{ install_wireguard__server_ip }}
done
{% endif %}