Move helper NAT management into Go

Remove the last shell-owned NAT surface by extracting the iptables logic into a shared Go package and using it from both bangerd and a hidden helper bridge in the CLI.

Route customize.sh and interactive.sh through banger internal nat up/down so the remaining shell helpers reuse the same rule logic, resolve the local banger binary explicitly, and tear NAT back down during cleanup.

Drop nat.sh from the runtime bundle and docs now that NAT is Go-managed everywhere, and keep coverage aligned with the new shared package and helper command.

Validation: go test ./..., bash -n customize.sh interactive.sh verify.sh, make build, and a live ./verify.sh --nat run that installed host rules, reached outbound network access, and cleaned them up successfully.

interactive.sh

@@ -73,6 +73,31 @@ BR_IP="172.16.0.1"
 CIDR="24"
 DNS_SERVER="1.1.1.1"
 
+resolve_banger_bin() {
+  if [[ -n "${BANGER_BIN:-}" ]]; then
+    printf '%s\n' "$BANGER_BIN"
+    return
+  fi
+  if [[ -x "$DIR/banger" ]]; then
+    printf '%s\n' "$DIR/banger"
+    return
+  fi
+  if command -v banger >/dev/null 2>&1; then
+    command -v banger
+    return
+  fi
+  log "banger binary not found; install/build banger or set BANGER_BIN"
+  exit 1
+}
+
+BANGER_BIN="$(resolve_banger_bin)"
+NAT_ACTIVE=0
+
+banger_nat() {
+  local action="$1"
+  "$BANGER_BIN" internal nat "$action" --guest-ip "$GUEST_IP" --tap "$TAP_DEV"
+}
+
 BASE_ROOTFS=""
 OUT_ROOTFS=""
 SIZE_SPEC=""
@@ -167,6 +192,9 @@ sudo -v
 
 cleanup() {
   sudo kill "${FC_PID:-}" 2>/dev/null || true
+  if [[ "$NAT_ACTIVE" -eq 1 ]]; then
+    banger_nat down >/dev/null 2>&1 || true
+  fi
   sudo ip link del "$TAP_DEV" 2>/dev/null || true
   rm -f "$API_SOCK"
   banger_dns_remove_record_name "${DNS_NAME:-}"
@@ -272,7 +300,8 @@ jq -n \
   > "$VM_DIR/vm.json"
 
 log "enabling NAT for interactive session"
-sudo -E ./nat.sh up "$VM_TAG" >/dev/null
+banger_nat up >/dev/null
+NAT_ACTIVE=1
 
 log "waiting for SSH"
 log "guest ip: $GUEST_IP"