#!/bin/sh
# Version: 0:2021.12.23

# This *can* be needed to DNAT from WAN to WAN
# Development at projectes_publics/ctctl/ovh-vps/update-masquerade

if [ $(id -u) -ne 0 ] ; then
	printf '%s\n' "E: Superuser permissions required (root)" 1>&2
	exit 1
fi

if [ "$1" = "install" ] ; then
	cp "$0" /etc/network/if-up.d/update-masquerade
	chown root:root /etc/network/if-up.d/update-masquerade
	chmod u=wrx,g=rx,o=r /etc/network/if-up.d/update-masquerade
	exit $?
fi

# Still not excluded 172.17.x.x to 172.31.x.x
NatsFor="$(iptables-legacy-save | grep -e durruter-nat | grep -e '-A POSTROUTING' | grep -ve ' 100\.64\.' -ve ' 10\.' -ve ' 172\.16\.' -ve ' 192\.168\.' -ve ' 169\.254\.' | sed -e 's|.* -s ||g' | cut -f 1 -d ' ' | sort -u)"
if [ "$NatsFor" != "" ] ; then
	PreviousMasquerades="$(iptables-legacy-save | grep -e '-j MASQUERADE' | grep -e '-A POSTROUTING' | grep -ve ' 100\.64\.' -ve ' 10\.' -ve ' 172\.16\.' -ve ' 192\.168\.' -ve ' 169\.254\.' | sed -e 's|^-A |-D |')"
	RemovalsNr=0
	IFS="$(printf '\n\b')" ; for CurMasquerade in $PreviousMasquerades ; do unset IFS
#	       CurMasqueradeFor="$(printf '%s' "$CurMasquerade" | sed -e 's|.* -s ||g' | cut -f 1 -d ' ')"
		CurMasqueradeFor="$(printf '%s' "$CurMasquerade" | sed -e 's|.* -d ||g' | cut -f 1 -d ' ')"
		printf '%s\n' "Removing masquerade rule for NAT source: $CurMasqueradeFor"
		iptables-legacy -t nat $CurMasquerade
		RemovalsNr=$((RemovalsNr + 1))
	done
	if [ $RemovalsNr -eq 0 ] ; then
		printf '%s\n' "I: No masquerade rules removed for previous NAT sources."
	fi
	AddsNr=0
	for CurNatFor in $NatsFor ; do
		printf '%s\n' "Adding masquerade rule for NAT source: $CurNatFor"
		iptables-legacy -t nat -A POSTROUTING -d $CurNatFor -j MASQUERADE
		AddsNr=$((AddsNr + 1))
	done
	if [ $AddsNr -eq 0 ] ; then
		printf '%s\n' "W: No masquerade rules added for NAT sources." 1>&2
	fi
else
	printf '%s\n' "W: No NAT sources detected from Internet." 1>&2
	printf '%s\n' "   No action taken." 1>&2
fi