#!/bin/sh
. /etc/local.d/vars.sh
wan_ip="$(ip -4 addr show dev eth0 | awk '/inet/{print $2}' | sed -e's@/.*$@@g')"
ipt=iptables
ipt6=ip6tables


# Set policies
for chain in INPUT OUTPUT FORWARD ; do
	$ipt -F $chain
	$ipt -P $chain ACCEPT
	$ipt6 -F $chain
	$ipt6 -P $chain ACCEPT
done

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -m conntrack --ctstate related,established -j ACCEPT
$ipt -A INPUT -p tcp --dport 22 -d $lan_ip -j ACCEPT # SSH internally
$ipt -A INPUT -p tcp --dport 9100 -j ACCEPT # prometheus node exporter
$ipt -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPs
$ipt -A INPUT -i $lan -j ACCEPT
$ipt -A INPUT -i $lan -p icmp -j ACCEPT
$ipt -A INPUT -j DROP

$ipt6 -A INPUT -i lo -j ACCEPT
$ipt6 -A INPUT -m state --state related,established -j ACCEPT
$ipt6 -A INPUT -p udp --dport 546 -d fe80::/10 -j ACCEPT # Router advertisements
$ipt6 -A INPUT -p icmpv6 -j ACCEPT
$ipt6 -A INPUT -j REJECT

$ipt6 -A FORWARD -m state --state related,established -j ACCEPT
$ipt6 -A FORWARD -i $lan -j ACCEPT
$ipt6 -A FORWARD -p icmpv6 -j ACCEPT
$ipt6 -A FORWARD -j REJECT


# Policies for NAT
for chain in INPUT OUTPUT PREROUTING POSTROUTING ; do
	$ipt -t nat -F $chain
	$ipt -t nat -P $chain ACCEPT
done

# Multiple port forwards for 10.0.0.241 with NAT relfection as an example:
internal_server=10.0.0.241
for port in 443 9100 9090 ; do
	$ipt -t nat -A PREROUTING -p tcp --dport $port -d $wan_ip \
		-j DNAT --to $internal_server
	# and nat reflection for said server:
	$ipt -t nat -I PREROUTING -p tcp --dport $port -d $lan_ip -i eth0 \
		-j DNAT --to $internal_server
	$ipt -t nat -I POSTROUTING -p tcp --dport $port -d $internal_server \
		-j SNAT --to $lan_ip
done

# Where the "magic" happens for IPv4, translate local IPs to that of
# the $wan interface.
$ipt -t nat -A POSTROUTING -o $wan -j MASQUERADE

. /etc/local.d/vars_end.sh