#!/usr/bin/env bash
# DictIA — iptables rules for cloud VPS
#
# Allows Docker internal traffic to reach the ASR proxy on port 9090.
# Blocks direct external access to Docker container IPs.
# Tailscale + UFW handle the main firewall — this script adds Docker-specific rules.
#
# Usage: sudo bash iptables-rules.sh
set -euo pipefail

echo "=== DictIA iptables rules ==="

# Allow Docker containers (172.16.0.0/12) to reach ASR proxy on port 9090
# This rule goes BEFORE the default DROP policy so containers can talk to the proxy
iptables -C INPUT -s 172.16.0.0/12 -p tcp --dport 9090 -j ACCEPT 2>/dev/null \
    || iptables -I INPUT 1 -s 172.16.0.0/12 -p tcp --dport 9090 -j ACCEPT

# Block direct external access to Docker container IPs (raw table, before conntrack)
# Protects containers on non-default bridge networks (e.g., dictia-network)
for NETWORK_ID in $(docker network ls --filter driver=bridge --format '{{.ID}}' 2>/dev/null); do
    BRIDGE=$(docker network inspect "$NETWORK_ID" --format '{{.Options.com.docker.network.bridge.name}}' 2>/dev/null || echo "")
    [ -z "$BRIDGE" ] && continue
    [ "$BRIDGE" = "docker0" ] && continue

    for CONTAINER_IP in $(docker network inspect "$NETWORK_ID" \
        --format '{{range .Containers}}{{.IPv4Address}} {{end}}' 2>/dev/null); do
        IP="${CONTAINER_IP%/*}"
        [ -z "$IP" ] && continue
        iptables -t raw -C PREROUTING -d "$IP" ! -i "$BRIDGE" -j DROP 2>/dev/null \
            || iptables -t raw -A PREROUTING -d "$IP" ! -i "$BRIDGE" -j DROP
        echo "  Protected $IP on $BRIDGE"
    done
done

echo "Rules applied. Tailscale + Docker internal traffic allowed."
echo "Verify with: sudo iptables -L -n -t raw"