#!/bin/sh
#
# This is a template, edit for your needs
#
# This script is called with the following parameters:
#
# To open a rule: <"open"> <IP> <MAC>
# To close a rule: <"close"> <IP> <MAC>
# To reset the firewall: <"reset">
#
# <IP> is in dotted decimal form (xxx.xxx.xxx.xxx)
# <MAC> is on the form xx:xx:xx:xx:xx:xx
#
# This script should return zero on success, and not zero on failure

case "$1" in
  open)
   logger -i -p local6.info -t "`basename $0`" "open $2 $3"
   /sbin/iptables -A FORWARD -s $2 -m mac --mac-source $3 -j ACCEPT
   /sbin/iptables -A FORWARD -d $2 -j ACCEPT
   /sbin/iptables -t nat -I PREROUTING -i eth1 -s $2 -j RETURN
   ;;
  close)
   logger -i -p local6.info -t "`basename $0`" "close $2 $3"
   /sbin/iptables -D FORWARD -s $2 -m mac --mac-source $3 -j ACCEPT
   /sbin/iptables -D FORWARD -d $2 -j ACCEPT
   /sbin/iptables -t nat -D PREROUTING -i eth1 -s $2 -j RETURN
   ;;
  reset)
   logger -i -p local6.info -t "`basename $0`" "reset"
   /sbin/iptables -P FORWARD DROP
   /sbin/iptables --flush
   /sbin/iptables --flush -t nat
   /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 80
   /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 443
   ;;
esac

# Check the return code
if test "$?" != "0"; then
  exit 1 # error
fi
exit 0 # successful