# Firewall setup.
#
# Setting up ipchains and ipmasqadm
#

. /etc/config

#
# Flushing the chains.
#
iptables -F

#
# Policy for forwarding,  Masquerade
#
#ipchains -P forward DENY
#ipchains -A forward -i ${OUTSIDE_DEV} -j MASQ

# From the HOWTO but seems not to be working.
#iptables -t nat -A POSTROUTING -o  ${OUTSIDE_DEV} -j MASQUERADE
# Use SNAT instead when outside ip is static.
iptables -t nat -A POSTROUTING -o  ${OUTSIDE_DEV} -j SNAT --to ${OUTSIDE_IP}


#
# Minimum delay for SSH.
#
#ipchains -A output -p tcp -d 0.0.0.0/0 22 -t 0x01 0x10

#
# We don't like the NetBIOS and Samba leaking..
#
#/bin/ipchains -I input -j REJECT -p TCP -s 0/0 -d 0/0 137:139
#/bin/ipchains -I input -j REJECT -p UDP -s 0/0 -d 0/0 137:139


#
# Finally, list what we have
# 
#
#iptables -L

# If broken DNS:
#ipchains -L -n

#
# ipmasqadm takes care of connections from the outside to the inside.
# Remove the comments to set it up.
#

for port in ${SERVER_TCP_PORTS}; do
	iptables -t nat -A PREROUTING -d ${OUTSIDE_IP} -p tcp --dport $port -j DNAT --to ${SERVER_IP}
	iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE_IP}
	[ ${INSIDE2_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE2_NETWORK}/${INSIDE2_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE2_IP}
	[ ${INSIDE3_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE3_NETWORK}/${INSIDE3_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE3_IP}
	[ ${INSIDE4_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE4_NETWORK}/${INSIDE4_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE4_IP}
	[ ${INSIDE5_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE5_NETWORK}/${INSIDE5_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE5_IP}
done

for port in ${SERVER_UDP_PORTS}; do
	iptables -t nat -A PREROUTING -d ${OUTSIDE_IP} -p udp --dport $port -j DNAT --to ${SERVER_IP}
	iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE_IP}
	[ ${INSIDE2_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE2_NETWORK}/${INSIDE2_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE2_IP}
	[ ${INSIDE3_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE3_NETWORK}/${INSIDE3_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE3_IP}
	[ ${INSIDE4_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE4_NETWORK}/${INSIDE4_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE4_IP}
	[ ${INSIDE5_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER_IP} -s ${INSIDE5_NETWORK}/${INSIDE5_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE5_IP}
done

for port in ${SERVER2_TCP_PORTS}; do
	iptables -t nat -A PREROUTING -d ${OUTSIDE_IP} -p tcp --dport $port -j DNAT --to ${SERVER2_IP}
	iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE_IP}
	[ ${INSIDE2_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE2_NETWORK}/${INSIDE2_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE2_IP}
	[ ${INSIDE3_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE3_NETWORK}/${INSIDE3_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE3_IP}
	[ ${INSIDE4_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE4_NETWORK}/${INSIDE4_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE4_IP}
	[ ${INSIDE5_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE5_NETWORK}/${INSIDE5_NETMASK} -p tcp --dport $port -j SNAT --to ${INSIDE5_IP}
done

for port in ${SERVER2_UDP_PORTS}; do
	iptables -t nat -A PREROUTING -d ${OUTSIDE_IP} -p udp --dport $port -j DNAT --to ${SERVER2_IP}
	iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE_IP}
	[ ${INSIDE2_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE2_NETWORK}/${INSIDE2_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE2_IP}
	[ ${INSIDE3_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE3_NETWORK}/${INSIDE3_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE3_IP}
	[ ${INSIDE4_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE4_NETWORK}/${INSIDE4_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE4_IP}
	[ ${INSIDE5_DEV} ] && iptables -t nat -A POSTROUTING -d ${SERVER2_IP} -s ${INSIDE5_NETWORK}/${INSIDE5_NETMASK} -p udp --dport $port -j SNAT --to ${INSIDE5_IP}
done

# List what we want
#iptables -L PREROUTING -t nat
#iptables -L POSTROUTING -t nat

#
# Rules set, we can enable forwarding in the kernel.
#
echo "Enabling IP forwarding."

echo "1" > /proc/sys/net/ipv4/ip_forward