DISABLE_IPV6=0
TP_PORT=900
TP_USER=daemon

EXCLUDE4="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 127.0.0.0/8"
EXCLUDE6="fc00::/7 fe80::/10 ::1"
IPTS="iptables ip6tables"
[ "$DISABLE_IPV6" = 1 ] && IPTS=iptables

exists()
{
	which "$1" >/dev/null 2>/dev/null
}

ipt()
{
	$IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@"
}

redirect_port()
{
	ipt tpws -t nat -p tcp --dport $1 -j REDIRECT --to-port $2
}

redirect()
{
	redirect_port 80 $TP_PORT
	redirect_port 443 $TP_PORT
}

for IPTABLES in $IPTS; do
	$IPTABLES -t nat -N tpws 2>/dev/null
	$IPTABLES -t nat -F tpws
	redirect
done

for net in $EXCLUDE4; do
	iptables -t nat -I tpws -d $net -j RETURN
done
[ "$DISABLE_IPV6" = 1 ] || {
	for net in $EXCLUDE6; do
		ip6tables -t nat -I tpws -d $net -j RETURN
	done
}

for IPTABLES in $IPTS; do
	ipt PREROUTING -t nat -j tpws
	ipt OUTPUT -t nat -m owner ! --uid-owner $TP_USER -j tpws
done