#!/bin/sh -ex
#
# this is a "kill switch" for wireguard
# block all traffic outside of the tunnel
# --------------------------------------------------------------------

# flush
iptables -F

# refuse all default
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# -/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
# permit samba / NFS to truenas (192.168.100.143)
iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 137
iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 138
iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 139
iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 445
iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 111
iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 2049
iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 137 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 138 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 139 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 111 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED

# permit qbittorrent-nox access on LAN subnet
iptables -A INPUT -j ACCEPT -s 192.168.100.0/24 -p tcp --dport 8080 -m state --state NEW
iptables -A OUTPUT -j ACCEPT -d 192.168.100.0/24 -p tcp --sport 8080 -m state --state ESTABLISHED

# permit ssh on LAN subnet
iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW
iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW
iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED
iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED

# allow dns to pihole
PIHOLE_IP=192.168.100.200
iptables -A OUTPUT -j ACCEPT -d $PIHOLE_IP/24 -p tcp --dport 53 -m state --state NEW
iptables -A OUTPUT -j ACCEPT -d $PIHOLE_IP/24 -p udp --dport 53 -m state --state NEW

# -/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/

# permit outgoing wireguard traffic on 51820 to the mullvad server
WIREGUARD_SERVER=38.240.225.36
iptables -A OUTPUT -d $WIREGUARD_SERVER/32 -p udp --dport 51820 -j ACCEPT
iptables -A OUTPUT -d $WIREGUARD_SERVER/32 -p udp --dport 51820 -j ACCEPT

# permit any local traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# ========== dont think we need tun on wireguard ===================
#iptables -A INPUT -i tun+ -j ACCEPT
#iptables -A OUTPUT -o tun+ -j ACCEPT
# ========== dont think we need tun on wireguard ===================

# permit replies to traffic sent out
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# save
/etc/init.d/iptables save