# Firewall script, specific for OpenWrt: permits traffic from chilli clients to Internet restricts inter-interfaces traffic
. /etc/functions.sh
. /tmp/network-config

config_load fon

WL="$wifi_ifname"
WAN="$wan_ifname"
LAN="$lan_ifname"

iptables -N NET_ACCESS 2>&- >&-
iptables -F NET_ACCESS

# WAN_HOOK will contain rules to restrict traffic to the wan network
iptables -N WAN_HOOK 2>&- >&-

# ChilliSpot
iptables -A NET_ACCESS -p tcp --dport 3990 -j ACCEPT

# DNS is always allowed from the tunnel
iptables -A NET_ACCESS -p udp --dport 53 -j ACCEPT
iptables -A NET_ACCESS -p tcp --dport 53 -j ACCEPT

# Access control for the hotspot
config_get wan access hotspot_wan
enabled "$wan" 0 || iptables -A NET_ACCESS -j WAN_HOOK

#config_get lan access hotspot_lan
#if enabled "$lan" 0; then
#	echo "hotspot_lan on"
#	iptables -t nat -A POSTROUTING -o "$LAN" -j MASQUERADE
#else
#	echo "hotspot_lan off"
#	iptables -A NET_ACCESS -o "$lan_ifname" -j DROP
#fi

config_get wan access lan_wan
enabled "$wan" 1 || iptables -I FORWARD 1 -i "$LAN" -o "$WAN" -j WAN_HOOK


# allow regular wan traffic
[ -z "$WAN" ] || {
	iptables -A NET_ACCESS -o "$WAN" -j ACCEPT
	iptables -A NET_ACCESS -i "$WAN" -j ACCEPT
}

iptables -A NET_ACCESS -o "$LAN" -j ACCEPT
iptables -A NET_ACCESS -i "$LAN" -j ACCEPT

# drop everything that we haven't explicitly allowed
iptables -A NET_ACCESS -j DROP

# -- INPUT PART --
iptables -N INPUT_CFG 2>&- >&-
iptables -F INPUT_CFG 2>&- >&-
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j DROP
iptables -I INPUT 2 -i "$LAN" -j INPUT_CFG
iptables -I INPUT 3 -i tun0 -j NET_ACCESS

# -- FORWARD PART --
iptables -I forwarding_rule 1 -i "$LAN" -j INPUT_CFG
iptables -I forwarding_rule 2 -o "$LAN" -j INPUT_CFG
iptables -I forwarding_rule 3 -i tun0 -j NET_ACCESS
iptables -I forwarding_rule 4 -o tun0 -j NET_ACCESS

# Drop all unmanaged traffic from the public interface
iptables -t nat -A PREROUTING -i "$WL" -j DROP

ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/20-firewall