From 705baead271b188b7c71ea9d470031e1628a8778 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 5 Jan 2024 10:15:44 -0500
Subject: [PATCH] Configure forwarding for birch

---
 tools/reproiner-config.sh | 52 +++++++++++++++++++++++++++++++++++----
 1 file changed, 47 insertions(+), 5 deletions(-)

diff --git a/tools/reproiner-config.sh b/tools/reproiner-config.sh
index d584b9e..6938707 100755
--- a/tools/reproiner-config.sh
+++ b/tools/reproiner-config.sh
@@ -12,6 +12,11 @@
 #
 set -eu
 
+# default network interface
+net_if=$(ip route | awk '/^default/{print $5}')
+# configured usb dongle network
+birch_if=enx8cae4cdd98c0
+
 # helper tools installed
 apt install -y net-tools ncdu 
 # tools which will be used by our tools
@@ -28,8 +33,6 @@ fi
 #
 # Connecting to Birch.  It needs us to provide it with dhcp server.
 #
-# configured usb dongle network
-birchif=enx8cae4cdd98c0
 # Installed/configured DHCP server for birch to get an address
 
 apt install -y isc-dhcp-server
@@ -61,12 +64,51 @@ EOF
 	service isc-dhcp-server restart
 fi
 
-if ! grep "$birchif" /etc/default/isc-dhcp-server; then
-	sed -i -e "s,INTERFACESv4=.*,INTERFACESv4=\"$birchif\",g" /etc/default/isc-dhcp-server
+if ! grep "$birch_if" /etc/default/isc-dhcp-server; then
+	sed -i -e "s,INTERFACESv4=.*,INTERFACESv4=\"$birch_if\",g" /etc/default/isc-dhcp-server
 	service isc-dhcp-server restart
 fi
 
-  
+# simple way to define custom firewall so we could setup masquarading for birch
+apt install -y iptables-persistent
+c=/etc/iptables/rules.v4
+
+if ! grep -q "NAT for birch" "$c"; then
+
+	cat >| "$c" << EOF
+# Created following a basic tutorial
+# https://gridscale.io/en/community/tutorials/debian-router-gateway/
+# to establish NAT for birch
+
+*nat
+-A POSTROUTING -o $net_if -j MASQUERADE
+COMMIT
+
+*filter
+-A INPUT -i lo -j ACCEPT
+# allow ssh, so that we do not lock ourselves
+-A INPUT -i $net_if -p tcp -m tcp --dport 22 -j ACCEPT
+# allow ntp
+-A INPUT -i $net_if -p udp -m udp --dport 123 -j ACCEPT
+
+# allow incoming traffic to the outgoing connections,
+# et al for clients from the private network
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# prohibit everything else incoming
+-A INPUT -i $net_if -j DROP
+
+COMMIT
+EOF
+
+	service iptables restart
+fi
+
+c=/etc/sysctl.conf
+if [ "$(sysctl net.ipv4.ip_forward)" == "net.ipv4.ip_forward = 0" ]; then
+	echo "net.ipv4.ip_forward=1" >> "$c"
+	sysctl -p
+	test "$(sysctl net.ipv4.ip_forward)" = "net.ipv4.ip_forward = 1"
+fi
 
 # ntp server
 apt install -y ntpsec