#!/bin/bash

# VPS Network Configuration Script
# This script configures the VPS to handle game server traffic

# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# Configuration variables
TAILSCALE_INTERFACE="tailscale0"
WAN_INTERFACE="eth0"  # Change if different
UNRAID_TAILSCALE_IP="YOUR_UNRAID_TAILSCALE_IP"  # Replace with your Unraid's Tailscale IP

# Function to check if script is run as root
check_root() {
    if [ "$EUID" -ne 0 ]; then
        echo -e "${RED}Error: This script must be run as root${NC}"
        exit 1
    fi
}

# Function to check if Tailscale is installed
check_tailscale() {
    if ! command -v tailscale &> /dev/null; then
        echo -e "${RED}Error: Tailscale is not installed${NC}"
        exit 1
    fi
}

# Function to configure iptables
configure_iptables() {
    echo -e "${YELLOW}Configuring iptables rules...${NC}"
    
    # Clear existing rules
    iptables -F
    iptables -t nat -F
    
    # Set default policies
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    # Allow established connections
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow Tailscale traffic
    iptables -A INPUT -i $TAILSCALE_INTERFACE -j ACCEPT
    iptables -A FORWARD -i $TAILSCALE_INTERFACE -j ACCEPT
    
    # UDP Ports
    for port in 8766 8767 16261 19132; do
        iptables -A INPUT -p udp --dport $port -j ACCEPT
        iptables -A FORWARD -p udp --dport $port -j ACCEPT
        iptables -t nat -A PREROUTING -p udp --dport $port -j DNAT --to-destination $UNRAID_TAILSCALE_IP
    done
    
    # TCP Port Ranges
    iptables -A INPUT -p tcp -m multiport --dports 16262,27015:27050,25500:25600 -j ACCEPT
    iptables -A FORWARD -p tcp -m multiport --dports 16262,27015:27050,25500:25600 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -m multiport --dports 16262,27015:27050,25500:25600 -j DNAT --to-destination $UNRAID_TAILSCALE_IP
    
    # Allow SSH (adjust port if needed)
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    
    # Enable masquerading
    iptables -t nat -A POSTROUTING -o $WAN_INTERFACE -j MASQUERADE
    
    echo -e "${GREEN}iptables rules configured successfully${NC}"
}

# Function to configure routing
configure_routing() {
    echo -e "${YELLOW}Configuring routing...${NC}"
    
    # Enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    sysctl -w net.ipv4.ip_forward=1
    
    echo -e "${GREEN}Routing configured successfully${NC}"
}

# Function to make settings persistent
make_persistent() {
    echo -e "${YELLOW}Making settings persistent...${NC}"
    
    # Save iptables rules
    if command -v iptables-save &> /dev/null; then
        mkdir -p /etc/iptables
        iptables-save > /etc/iptables/rules.v4
        
        # Ensure rules are restored on boot
        if [ -f /etc/network/if-pre-up.d/iptables ]; then
            echo '#!/bin/sh' > /etc/network/if-pre-up.d/iptables
            echo "iptables-restore < /etc/iptables/rules.v4" >> /etc/network/if-pre-up.d/iptables
            chmod +x /etc/network/if-pre-up.d/iptables
        fi
    fi
    
    # Ensure IP forwarding is enabled on boot
    if ! grep -q "net.ipv4.ip_forward=1" /etc/sysctl.conf; then
        echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
    fi
}

# Main execution
main() {
    echo -e "${YELLOW}Starting VPS network configuration...${NC}"
    
    check_root
    check_tailscale
    configure_iptables
    configure_routing
    make_persistent
    
    echo -e "${GREEN}VPS network configuration completed successfully${NC}"
    echo -e "${YELLOW}Please test your game server connectivity${NC}"
}

# Run main function
main

exit 0