#!/usr/bin/env bash

# Copyright (C) 2014 Multi-Tech Systems

# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:

# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.

set -e

do_start() {
	lan_interfaces=$(echo "$lan" | sed "s/,/ /g")

	echo "Configuring firewall rules..."
	# Flush all the tables first
	iptables -t filter -F
	iptables -t nat -F
	iptables -t mangle -F

	# Drop all incoming packets by default
	iptables -t filter -P INPUT DROP
	# Accept all on local loopback
	iptables -t filter -A INPUT -i lo -j ACCEPT
	# Allow packets in for existing socket connections
	iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

	# Accept all from LAN interfaces
	for i in $lan_interfaces; do
		iptables -t filter -A INPUT -i $i -j ACCEPT

		# Accept ssh from the LAN (Wired)
		#iptables -t filter -A INPUT -i $i -p tcp --dport 22 -j ACCEPT
		# Accept http from the LAN (Wired)
		#iptables -t filter -A INPUT -i $i -p tcp --dport 80 -j ACCEPT
		# Accept tftp from the LAN (Wired)
		#iptables -t filter -A INPUT -i $i -p udp --dport 69 -j ACCEPT
	done

	# Accept ssh from the WAN (Wireless)
	#iptables -t filter -A INPUT -i $wan -p tcp --dport 22 -j ACCEPT
	# Accept http from the WAN (Wireless)
	#iptables -t filter -A INPUT -i $wan -p tcp --dport 80 -j ACCEPT

	# Allow packet fowarding from LAN interfaces to WAN (cell router)
	iptables -t filter -P FORWARD DROP
	iptables -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	for i in $lan_interfaces; do
		iptables -t filter -A FORWARD -i $i -o $wan -j ACCEPT
	done

	# Allow all output packets
	iptables -t filter -P OUTPUT ACCEPT

	# enable NAT for cell router
	iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE

	echo "Enabling packet forwarding..."
	# turn on packet forwarding last
	echo 1 > /proc/sys/net/ipv4/ip_forward
	echo "Done"
}

do_stop() {
	echo "Clearing firewall rules..."
	# clear all tables
	iptables -t filter -F
	iptables -t nat -F
	iptables -t mangle -F
	# reset policies to ACCEPT
	iptables -t filter -P INPUT ACCEPT
	iptables -t filter -P OUTPUT ACCEPT
	iptables -t filter -P FORWARD ACCEPT

	# turn off packet forwarding
	echo "Disabling packet forwarding..."
	echo 0 > /proc/sys/net/ipv4/ip_forward
	echo "Done"
}

usage() {
	echo "Usage: $(basename $0) start|stop [options]"
	echo "  options:"
	echo "    -l <lan-interfaces> LAN interfaces to allow, comma-separated (defaults to \"eth0\")"
	echo "    -w <wan-interface>  WAN interface to route out (defaults to \"ppp0\")"
	exit 1
}

# main
if [[ $# < 1 ]]; then
	usage
fi

cmd=$1
shift

while getopts "l:w:h" opt; do
	case "$opt" in
		l)
			l=$OPTARG
			;;
		w)
			w=$OPTARG
			;;
		h)
			usage
			;;
		*)
			usage
			;;
	esac
done

# default lan to eth0 if not specified
lan=${l-eth0}
# default wan to ppp0 if not specified
wan=${w-ppp0}

case $cmd in
	start)
		echo "LAN: $lan"
		echo "WAN: $wan"
		do_start
		;;
	stop)
		do_stop
		;;
	*)
		usage
		;;
esac

exit 0