#!/bin/sh
IP=192.168.1.0/24
INTERNET=eth0
INSIDE=eth3
case "$1" in
  start)
    echo "Starting firewall+NAT: iptables."
    echo "1" > /proc/sys/net/ipv4/ip_forward
# orig : tiltja a pinget. mi most nem tiltjuk a teszt kedveert:
#   echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
        
    # Helper modules
    modprobe ip_nat_ftp
    
    # Default policy
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -P OUTPUT ACCEPT
    /sbin/iptables -P FORWARD DROP

    # Flush existing rules
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -t nat -F PREROUTING
    /sbin/iptables -t nat -F POSTROUTING

    # Masquarade localnet
# a belso halozat cime: 192.168.100.0 $IP
    /sbin/iptables -A FORWARD -s $IP   -j ACCEPT
    /sbin/iptables -A FORWARD -d $IP   -j ACCEPT
#    /sbin/iptables -A FORWARD -s $IP -p tcp --dport 80 21 20 -j ACCEPT
#    /sbin/iptables -A FORWARD -d $IP  -p tcp --dport 80 21 20  -j ACCEPT


#    /sbin/iptables -A FORWARD -s $IP  -j ACCEPT
#    /sbin/iptables -A FORWARD -d $IP  -j ACCEPT


# a bejovo halokartya eth0, azaz amelyiken be jon az interne $INTERNET
    /sbin/iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
    
    # Belso halo engedelyek
    /sbin/iptables -A INPUT -i lo -j ACCEPT
# eth1  a belso iranyba mutato halokartya

    /sbin/iptables -A INPUT -i $INSIDE -j ACCEPT
    #SSH
#    /sbin/iptables -A INPUT -p tcp -i $INSIDE --dport 22 -j ACCEPT
#    /sbin/iptables -A INPUT -p tcp -i $INSIDE --dport 21 -j ACCEPT
#    /sbin/iptables -A INPUT -p tcp -i $INSIDE --dport 80 -j ACCEPT
 
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 22 -j DNAT --to-destination 192.168.1.100:22

#   /sbin/iptables -t nat -A PREROUTING -i $INTERNET -p tcp -dport 80  \
#  -j DNAT --to-destination 192.168.1.2:80 
    # Kulso intreface engedelyek
    #FTP
    /sbin/iptables -A INPUT -p tcp -i $INTERNET --dport 21 -j ACCEPT
    #SSH
    /sbin/iptables -A INPUT -p tcp -i $INTERNET --dport 22 -j ACCEPT
    #SMTP
    #/sbin/iptables -A INPUT -p tcp -i $INTERNET --dport 25 -j ACCEPT
    #HTTP
#    /sbin/iptables -A INPUT -p tcp -i $INTERNET --dport 80 -j ACCEPT
    #POP3
    #/sbin/iptables -A INPUT -p tcp -i $INTERNET --dport 110 -j ACCEPT
    #HTTPS
    #/sbin/iptables -A INPUT -p tcp -i $INTERNET --dport 443 -j ACCEPT
    #VPN
    #/sbin/iptables -A INPUT -p tcp -i $INTERNET --dport 1723 -j ACCEPT
    #WEBMIN
    #/sbin/iptables -A INPUT -p tcp -i $INTERNET --dport 10000 -j ACCEPT
    
    # Connection tracking
    /sbin/iptables -A INPUT -i $INTERNET -m state --state NEW,INVALID -j DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    ;;
  stop)
    echo "Stopping firewall: iptables."
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
  
   rmmod ip_nat_ftp
    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT
    /sbin/iptables -P FORWARD ACCEPT
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -t nat -F PREROUTING
    /sbin/iptables -t nat -F POSTROUTING
    ;;
  status)
    iptables -L
    ;;
  *)
    echo "Usage: ipmasq {start|stop|status}"
    exit 1
    ;;

esac
exit 0