#!/bin/bash

# Copyright 2002, Evan Y. Chu.

# For technical information, please contact Evan Y. Chu at evanc@his.com.

#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA


IPTABLES=/sbin/iptables
WAN_INTF="ppp0"
LAN_INTF="eth0"

clearTables ()
{
    $IPTABLES --flush
    $IPTABLES --delete-chain
    $IPTABLES -t nat --flush
    $IPTABLES -t nat --delete-chain
    $IPTABLES -t mangle --flush
    $IPTABLES -t mangle --delete-chain

    # reset the default policies in the tables.
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -t nat -P PREROUTING ACCEPT
    $IPTABLES -t nat -P POSTROUTING ACCEPT
    $IPTABLES -t nat -P OUTPUT ACCEPT
    echo "iptables is cleared"
}


configOs ()
{
    ## enable ip forwarding
    echo "1" > /proc/sys/net/ipv4/ip_forward

    ## enable dynamic ip
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
}


configTables2 ()
{
    ## set default policy
    $IPTABLES --policy INPUT DROP
    $IPTABLES --policy OUTPUT ACCEPT
    $IPTABLES --policy FORWARD DROP
    $IPTABLES -t nat --policy PREROUTING ACCEPT
    $IPTABLES -t nat --policy OUTPUT ACCEPT
    $IPTABLES -t nat --policy POSTROUTING ACCEPT

    ## allow loopback interface
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    ## allow local interface
    $IPTABLES -A INPUT -i $LAN_INTF -j ACCEPT
    $IPTABLES -A OUTPUT -o $LAN_INTF -j ACCEPT

    ## protect WAN interface
    $IPTABLES -A INPUT -i $WAN_INTF -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT -o $WAN_INTF -j ACCEPT    
    
    ## enable source-NAT
    $IPTABLES -A FORWARD -i $WAN_INTF -o $LAN_INTF -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $LAN_INTF -o $WAN_INTF -j ACCEPT
    $IPTABLES -t nat -A POSTROUTING -o $WAN_INTF -j MASQUERADE

    echo "iptables is active"
}


######################
## main section

if [ "$1" = "-clear" ]; then
    clearTables
elif [ "$1" = "-set" ]; then
    clearTables
    configOs
    configTables2
else
    echo $0 "<-clear> | <-set>"
fi