#!/bin/sh

#Source definition files
. /app/config/network_wan.ini
. /app/config/network_lan.ini
. /app/scripts/eipr_type

if [ "$EIPR_TYPE" = "REALTEK" ]; then
        LANIF=eth0.1
else
        LANIF=eth0
fi

if [ "$EIPR_VPN" = "YES" ] && [ "$VPN_MODE" = "SERVER" ]; then
	# set LAN interface to be bridge
	LANIF=br0
fi

# check WAN Connection Type
if [ "$BOOTPROTO_WAN" = "ppp" ] || [ "$BOOTPROTO_WAN" = "cellular" ]; then 
        WANIF=ppp0
else
        if [ "$EIPR_TYPE" = "REALTEK" ]; then
                WANIF=eth0.2
        else
                WANIF=eth1
        fi
fi

if [ "$EIPR_FW" != "NO" ]; then

# Flush iptables
#
iptables -F
iptables -F -t nat

# Drop current connections
conntrack -F
conntrack -F -t nat

#
# Allow access to and from loopback interface
#
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT

#
# Set other common policies for chains
#
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Set policy for internal interface
#
iptables -I INPUT -i $LANIF -j ACCEPT ## allow ALL inbound traffic on LAN side
iptables -I FORWARD -i $LANIF -m state --state NEW -j ACCEPT

#
# Allow Pings from the router
#
iptables -t nat -A POSTROUTING -o lo -j ACCEPT ##router pings itself

#iptables -t nat -A POSTROUTING -p icmp -o $WANIF -j ACCEPT ## router pings
                                                         ## devices on eth0
#iptables -t nat -A POSTROUTING -p icmp -o $LANIF -j ACCEPT ## router pings
                                                         ## devices on eth1

if [ "$VPN_MASQ" = "YES" ]; then
	iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
fi

fi
