#!/bin/bash

# Pour nater tout le monde sur le VLAN 10
# À exécuter sur ytrap-llatsni

if [ `hostname` != "ytrap-llatsni" ]
then
    echo "À exécuter sur ytrap-llatsni"
    exit 1
fi

iptables -t nat -F
iptables -t raw -F
iptables -t mangle -F
ip6tables -t mangle -F
ip6tables -F


iptables -t raw -A PREROUTING -d 224.0.0.0/4 -j DROP
# On log les les paquets
iptables -t mangle -A PREROUTING  -i eth1 -m state --state NEW -j LOG --log-prefix "LOG_ALL "
iptables -t mangle -A PREROUTING  -i eth0 -m state --state NEW -j LOG --log-prefix "LOG_ALL "

# <Portail captif>
ipset -q create allowed_guests bitmap:ip range 10.231.137.0/24 || ipset flush allowed_guests
iptables -t nat -N CAPTIF 2> /dev/null || iptables -t nat -F CAPTIF
#iptables -t nat -A PREROUTING --src 10.231.137.189 -j CAPTIF
#iptables -t nat -A PREROUTING -j CAPTIF
iptables -t nat -A CAPTIF -p tcp --dport 80 -m set \! --match-set allowed_guests src -j DNAT --to-destination 10.231.137.1
iptables -t nat -A CAPTIF -j RETURN
# </Portail captif>

# On nat l'ipv4
iptables -t nat -A POSTROUTING -j MASQUERADE

# Pas d'adm
ip6tables -t filter -A FORWARD -o eth2 -j REJECT
iptables -t filter -A FORWARD -o eth2 -j REJECT

# On log les les paquets
ip6tables -t mangle -A PREROUTING  -i eth1 -m state --state NEW -j LOG --log-prefix "LOG_ALL "
ip6tables -t mangle -A PREROUTING  -i eth0 -m state --state NEW -j LOG --log-prefix "LOG_ALL "
ip6tables -A FORWARD -p icmp -j ACCEPT

# On accept les ip crans
ip6tables -A FORWARD -i eth0 -s 2a01:240:fe3d::/56 -d 2a01:240:fe3d:d2::/64 -j ACCEPT
ip6tables -A FORWARD -i eth1 -d 2a01:240:fe3d::/56 -s 2a01:240:fe3d:d2::/64 -j ACCEPT
# On permet de contacter toutes les ips en sortie
ip6tables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# On accepte tout ce qui vient d'odlyd
ip6tables -A FORWARD -i eth0  -m mac --mac-source a0:d3:c1:00:f4:04 -j ACCEPT
# On rejete le reste
ip6tables -A FORWARD -j REJECT
ip6tables -P FORWARD DROP

# On active le routage en ipv6
echo 1 > /proc/sys/net/ipv6/conf/eth1/forwarding
echo 1 > /proc/sys/net/ipv6/conf/eth0/forwarding

# On active le routage en ipv4
echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding

# Sinon radvd vomit
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

# On lance radvd
#/etc/init.d/radvd start