#!/bin/bash
# Set up the fireclaw bridge and NAT rules
# Run with sudo

set -euo pipefail

BRIDGE="fcbr0"
BRIDGE_IP="172.16.0.1/24"
SUBNET="172.16.0.0/24"
EXT_IFACE=$(ip route show default | awk '{print $5; exit}')

echo "Creating bridge ${BRIDGE}..."
ip link add "${BRIDGE}" type bridge 2>/dev/null || echo "Bridge already exists"
ip addr add "${BRIDGE_IP}" dev "${BRIDGE}" 2>/dev/null || echo "Address already set"
ip link set "${BRIDGE}" up

echo "Enabling IP forwarding..."
sysctl -w net.ipv4.ip_forward=1

echo "Setting up NAT via ${EXT_IFACE}..."
iptables -t nat -C POSTROUTING -s "${SUBNET}" -o "${EXT_IFACE}" -j MASQUERADE 2>/dev/null || \
  iptables -t nat -A POSTROUTING -s "${SUBNET}" -o "${EXT_IFACE}" -j MASQUERADE

iptables -C FORWARD -i "${BRIDGE}" -o "${EXT_IFACE}" -j ACCEPT 2>/dev/null || \
  iptables -A FORWARD -i "${BRIDGE}" -o "${EXT_IFACE}" -j ACCEPT

iptables -C FORWARD -i "${EXT_IFACE}" -o "${BRIDGE}" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
  iptables -A FORWARD -i "${EXT_IFACE}" -o "${BRIDGE}" -m state --state RELATED,ESTABLISHED -j ACCEPT

echo "Done. Bridge ${BRIDGE} ready."