#!/usr/bin/env bash

# Set variables
non_tor_users=$(grep ^nontor: /etc/group)
non_tor_users=${non_tor_users##*:}
non_tor_users=${non_tor_users//,/ }

non_tor_networks_4='192.168.0.0/24'
non_tor_networks_6='fe80::/64'

# Flush
iptables -F
iptables -t nat -F

ip6tables -F
ip6tables -t nat -F

# Allow non-tor users to perform any clearnet traffic
for uid in $non_tor_users; do
	iptables -t nat -A OUTPUT -m owner --uid-owner $uid -j RETURN
	ip6tables -t nat -A OUTPUT -m owner --uid-owner $uid -j RETURN
done

# Redirect all DNS traffic to Tor DNS port
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
ip6tables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53

# Do not NAT loopback traffic
iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN
ip6tables -t nat -A OUTPUT -d ::1 -j RETURN

# Do not NAT traffic to non-tor networks
for address in $non_tor_networks_4; do
	iptables -t nat -A OUTPUT -d $address -j RETURN
done

for address in $non_tor_networks_6; do
	ip6tables -t nat -A OUTPUT -d $address -j RETURN
done

# Redirect all TCP traffic through Tor
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

ip6tables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
ip6tables -t nat -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback traffic
iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT

ip6tables -A OUTPUT -d ::1 -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic to non-tor networks
for address in $non_tor_networks_4; do
	iptables -A OUTPUT -d $address -j ACCEPT
done

for address in $non_tor_networks_6; do
	ip6tables -A OUTPUT -d $address -j ACCEPT
done

# Allow clearnet traffic for non-tor users
for uid in $non_tor_users; do
	iptables -A OUTPUT -m owner --uid-owner $uid -j ACCEPT
	ip6tables -A OUTPUT -m owner --uid-owner $uid -j ACCEPT
done

# Reject any other output
iptables -A OUTPUT -j REJECT
ip6tables -A OUTPUT -j REJECT