#!/bin/sh -e

# Ensure that the ipsets to be referenced later exist
corridor-load-ipset-relays --init
corridor-load-ipset-logged --init

iptables -w -N CORRIDOR_FILTER
iptables -w -A CORRIDOR_FILTER -m conntrack --ctstate ESTABLISHED,RELATED       -j RETURN
iptables -w -A CORRIDOR_FILTER -m set       --match-set corridor_relays dst,dst -j RETURN
# Unfortunately, logging always includes MAC addresses.
# --log-macdecode just tells the kernel to use a nicer format.
iptables -w -A CORRIDOR_FILTER -m set --match-set corridor_logged src -j LOG \
               --log-level warning --log-prefix "corridor: reject " --log-macdecode
iptables -w -A CORRIDOR_FILTER -j REJECT --reject-with icmp-host-prohibited
iptables -w -I FORWARD -j CORRIDOR_FILTER

# Enable IPv4 forwarding in general
sysctl net.ipv4.ip_forward=1

# Disable IPv6 forwarding if the kernel supports IPv6
if test -e /proc/sys/net/ipv6/conf/all/forwarding; then
	sysctl net.ipv6.conf.all.forwarding=0
fi
