#!/usr/bin/env bash
UPLINK_INTERFACE="enp0s31f6"

what="A"
if [ "$1" == "delete" ]; then
    what="D"
fi
for port in {4001..4200}; do
    ip_octet=$((port - 4000))               # 4001 → 1, … 4200 → 200
    dst_ip="192.168.0.${ip_octet}"
    iptables -t nat -${what} PREROUTING \
        -i "$UPLINK_INTERFACE" -p tcp -m tcp --dport "$port" \
        -j DNAT --to-destination "${dst_ip}:22"
done
iptables -t nat -A POSTROUTING     -o br-ext -p tcp -d 192.168.0.0/24 --dport 22     -j MASQUERADE