diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..8acffa6
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,7 @@
+services:
+  infra:
+    build: ./infra
+    cap_add:
+      - NET_ADMIN
+    network_mode: host
+    restart: unless-stopped
diff --git a/infra/Dockerfile b/infra/Dockerfile
new file mode 100644
index 0000000..9c3f958
--- /dev/null
+++ b/infra/Dockerfile
@@ -0,0 +1,6 @@
+FROM alpine:latest
+
+RUN apk add --no-cache --upgrade bash grep iptables ip6tables wireguard-tools
+COPY /root /
+
+ENTRYPOINT ["/setup.sh"]
\ No newline at end of file
diff --git a/infra/root/setup.sh b/infra/root/setup.sh
new file mode 100755
index 0000000..ff2f4cf
--- /dev/null
+++ b/infra/root/setup.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+echo_info() {
+    GREEN='\033[0;32m'
+    NC='\033[0m'
+    printf "${GREEN}$1${NC}\n"
+}
+
+####################################################################
+# Constants
+####################################################################
+
+WAN_INTERFACE_V4=eth0
+WAN_INTERFACE_V6=eth0
+
+WEB_SERVER_IPV4=10.254.0.2
+WEB_SERVER_IPV6=fd99:23eb:1682:fe::2
+
+WEB_SERVER_PORTS=80,443,10000:11000,51820
+
+####################################################################
+# wireguard setup
+# wireguard -> X forwarding
+# wireguard -> $WAN_INTERFACE SNAT
+####################################################################
+
+echo_info "Set up wireguard..."
+
+wg-quick down /wg-far-end.conf
+wg-quick up /wg-far-end.conf
+
+# default drop
+iptables-nft  -P FORWARD DROP
+ip6tables-nft -P FORWARD DROP
+
+# allow forward
+iptables-nft  -A FORWARD -i wg-far-end -j ACCEPT
+ip6tables-nft -A FORWARD -i wg-far-end -j ACCEPT
+
+iptables-nft  -A FORWARD -i $WAN_INTERFACE_V4 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ip6tables-nft -A FORWARD -i $WAN_INTERFACE_V6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# masquerading
+iptables-nft  -t nat -A POSTROUTING -o $WAN_INTERFACE_V4 -j MASQUERADE
+ip6tables-nft -t nat -A POSTROUTING -o $WAN_INTERFACE_V6 -j MASQUERADE
+
+####################################################################
+# Port forwarding
+####################################################################
+
+echo_info "Set up port forwarding to web server..."
+
+setup_port_forward() {
+    interface_name_v4=$1
+    interface_name_v6=$2
+    ports=$3
+    dst_ipv4=$4
+    dst_ipv6=$5
+
+    interface_ipv4=`ip -4 addr show $interface_name_v4 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' -m 1`
+    interface_ipv6=`ip -6 addr show $interface_name_v6 | grep -oP '(?<=inet6\s)[\da-f:]+' -m 1`
+
+    # ipv4 forwarding
+    iptables-nft -t nat -A PREROUTING  -p tcp  -d $interface_ipv4 -m multiport --dports $ports -j DNAT --to-destination $dst_ipv4
+    iptables-nft -A FORWARD -p tcp             -d $dst_ipv4       -m multiport --dports $ports -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+    iptables-nft -t nat -A POSTROUTING -p tcp  -d $dst_ipv4       -m multiport --dports $ports -j MASQUERADE
+    
+    iptables-nft -t nat -A PREROUTING  -p udp  -d $interface_ipv4 -m multiport --dports $ports -j DNAT --to-destination $dst_ipv4
+    iptables-nft -A FORWARD -p udp             -d $dst_ipv4       -m multiport --dports $ports -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+    iptables-nft -t nat -A POSTROUTING -p udp  -d $dst_ipv4       -m multiport --dports $ports -j MASQUERADE
+
+    # ipv6 forwarding
+    ip6tables-nft -t nat -A PREROUTING  -p tcp -d $interface_ipv6 -m multiport --dports $ports -j DNAT --to-destination $dst_ipv6
+    ip6tables-nft -A FORWARD -p tcp            -d $dst_ipv6       -m multiport --dports $ports -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+    ip6tables-nft -t nat -A POSTROUTING -p tcp -d $dst_ipv6       -m multiport --dports $ports -j MASQUERADE
+
+    ip6tables-nft -t nat -A PREROUTING  -p udp -d $interface_ipv6 -m multiport --dports $ports -j DNAT --to-destination $dst_ipv6
+    ip6tables-nft -A FORWARD -p udp            -d $dst_ipv6       -m multiport --dports $ports -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+    ip6tables-nft -t nat -A POSTROUTING -p udp -d $dst_ipv6       -m multiport --dports $ports -j MASQUERADE
+}
+
+setup_port_forward $WAN_INTERFACE_V4 $WAN_INTERFACE_V6 $WEB_SERVER_PORTS $WEB_SERVER_IPV4 $WEB_SERVER_IPV6
+
+####################################################################
+# iptables de-duplicate
+####################################################################
+
+echo_info "De-duplicating iptables..."
+
+iptables-nft-save | awk '/^COMMIT$/ { delete x; }; !x[$0]++' > /tmp/iptables.conf
+iptables-nft -F
+iptables-nft-restore < /tmp/iptables.conf
+
+ip6tables-nft-save | awk '/^COMMIT$/ { delete x; }; !x[$0]++' > /tmp/iptables.conf
+ip6tables-nft -F
+ip6tables-nft-restore < /tmp/iptables.conf
+
+####################################################################
+####################################################################
+
+echo_info "Infra setup complete!"
+
+sleep infinity &
+
+wait