#!/bin/bash

IPTABLES=iptables
IPTABLES6=ip6tables

set -x

modprobe ipt_LOG # old?
modprobe ip6t_LOG # old?

modprobe nf_log_ipv4
modprobe nf_log_ipv6

sysctl net.netfilter.nf_log.2=nf_log_ipv4
sysctl net.netfilter.nf_log.10=nf_log_ipv6

echo 1 > /proc/sys/net/ipv4/ip_forward || fail "Can not set IP forwarding"

echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT ; $IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT ; $IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP ; $IPTABLES -F FORWARD 
$IPTABLES -t nat -F ; $IPTABLES -t raw -F

$IPTABLES6 -P INPUT ACCEPT ; $IPTABLES6 -F INPUT 
$IPTABLES6 -P OUTPUT ACCEPT ; $IPTABLES6 -F OUTPUT 
$IPTABLES6 -P FORWARD DROP ; $IPTABLES6 -F FORWARD 
$IPTABLES6 -t nat -F ; $IPTABLES6 -t raw -F

EXTIF="ens3" # my NIC that connects into Gateway to Internet
INTIF="galaxy1" # the tuntap - my NIC that connects into the Client(s) that want to NAT through me

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"

$IPTABLES6 -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # ***

$IPTABLES -A INPUT -i "$INTIF" -j ACCEPT
$IPTABLES -A OUTPUT -o "$INTIF" -j ACCEPT
$IPTABLES -A FORWARD -j ACCEPT