WireGuard up/down script

ifscript.sh

#!/bin/bash

## Usage
# /etc/wireguard/ifscript.sh up %i
# /etc/wireguard/ifscript.sh down %i

action=$1
interface=$2
local_ips=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
vpn_ip="10.6.6.0/24"
int_interface="enp1s0"
local_ports="53"

[[ "$action" = "up" ]] && action_arg="I" || action_arg="D"

log () {
  [[ "$action" = "up" ]] && local cmd_action="Enabling" || local cmd_action="Disabling"
  echo "[ifscript.sh] $cmd_action $@"
}

log "iptables rules for ${interface}"

# NAT
iptables -t nat -$action_arg POSTROUTING -o $int_interface -j MASQUERADE

# Prevent IP Bleed
iptables -$action_arg FORWARD -j REJECT -i $interface ! -s $vpn_ip

# No access to local IPs or IPv6
iptables -$action_arg FORWARD -d $local_ips -j REJECT -i $interface
ip6tables -$action_arg FORWARD -j REJECT -i $interface

# Allow some local services
iptables -$action_arg INPUT -p udp --dport $local_ports -j ACCEPT -i $interface
iptables -$action_arg INPUT -p tcp --dport $local_ports -j ACCEPT -i $interface

# No access to local services5
iptables -$action_arg INPUT -j REJECT -i $interface
ip6tables -$action_arg INPUT -j REJECT -i $interface