## Starting

---

As with every shell script that we intend to run using Bash

    #!/bin/bash

## reset_iptables ()

---

A function used to reset the state of iptables so that we are guaranteed no rules that have gone unaccounted for:

    reset_iptables () {
        iptables -F;
        iptables -X;
        iptables -t nat -F;
        iptables -t nat -X;
        iptables -t mangle -F;
        iptables -t mangle -X;
        iptables -t raw -F;
        iptables -t raw -X;
        iptables -t security -F;
        iptables -t security -X;
        iptables -P INPUT ACCEPT;
        iptables -P FORWARD ACCEPT;
        iptables -P OUTPUT ACCEPT;
    }

!!! warning "Potential Security Risk"
    
    The above function when called will remove any existing iptables rules in place.

### Example

---

The call to the function is pretty straightforward. Calling it clears any rules defined in iptables.

    reset_iptables;

## forward_internet ()

---

A function used to forward requests from clients whose gateway is defined as this router's IP address to this machine's own Internet connection interface:

    forward_internet () {
        CLIENT_NET=$1;
        INET_IFACE=$2;

        iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE;
        iptables -I FORWARD -o $INET_IFACE -s $CLIENT_NET -j ACCEPT;
        iptables -I INPUT -s $CLIENT_NET -j ACCEPT;
    }

### Examples

---

To act as a gateway to the Internet for other devices on the network sending packets from `192.168.1.x`:

    forward_internet 192.168.1.0/24 wlan0;

## forward_port ()

---

A function used to forward incoming connections from an outside interface and port to an inside address & port destination and establish a path back for the response: 

    forward_port () {
        OUTSIDE_INTERFACE=$1;
        OUTSIDE_PORT=$2;
        INSIDE_ADDRESS=$3;
        INSIDE_PORT=$4;

        sysctl net.ipv4.conf.all.forwarding=1 > /dev/null;
        sysctl net.ipv6.conf.all.forwarding=1 > /dev/null;
        iptables -A PREROUTING -t nat -p tcp -i $OUTSIDE_INTERFACE --dport $OUTSIDE_PORT -j DNAT --to-destination $INSIDE_ADDRESS:$INSIDE_PORT;
        iptables -A POSTROUTING -t nat -p tcp -d $INSIDE_ADDRESS --dport $INSIDE_PORT -j MASQUERADE;

        echo "$OUTSIDE_INTERFACE:$OUTSIDE_PORT -> $INSIDE_ADDRESS:$INSIDE_PORT";
    }

## Usage

---

    reset_iptables;
    forward_internet 10.44.7.0/24 wlan0;
    forward_port tun0 8006 10.44.7.159 8006;
    forward_port tun0 8007 10.44.7.157 8006;
    forward_port tun0 7860 10.44.7.103 7860;
    forward_port tun0 7861 10.44.7.100 7861;
    forward_port tun0 7862 10.44.7.100 7862;
    forward_port tun0 22001 10.44.7.111 22;
    forward_port tun0 22002 10.44.7.100 22;
    forward_port tun0 22003 10.44.7.105 22;
    forward_port tun0 80 10.44.7.111 80;
    forward_port tun0 443 10.44.7.111 443;
    forward_port tun0 35566 10.44.7.112 35566;
    forward_port wlan0 8006 10.44.7.159 8006;
    forward_port wlan0 8007 10.44.7.157 8006;
    forward_port tun0 8033 10.44.7.114 80;
    forward_port tun0 25 10.44.7.102 25;
    forward_port tun0 587 10.44.7.102 587;
    forward_port tun0 465 10.44.7.102 465;

## forward.sh

---

``` bash title="forward.sh"
#!/bin/bash

reset_iptables () {
    iptables -F;
    iptables -X;
    iptables -t nat -F;
    iptables -t nat -X;
    iptables -t mangle -F;
    iptables -t mangle -X;
    iptables -t raw -F;
    iptables -t raw -X;
    iptables -t security -F;
    iptables -t security -X;
    iptables -P INPUT ACCEPT;
    iptables -P FORWARD ACCEPT;
    iptables -P OUTPUT ACCEPT;
}

forward_internet () {
    CLIENT_NET=$1;
    INET_IFACE=$2;

    iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE;
    iptables -I FORWARD -o $INET_IFACE -s $CLIENT_NET -j ACCEPT;
    iptables -I INPUT -s $CLIENT_NET -j ACCEPT;
}

forward_port () {
    OUTSIDE_INTERFACE=$1;
    OUTSIDE_PORT=$2;
    INSIDE_ADDRESS=$3;
    INSIDE_PORT=$4;

    sysctl net.ipv4.conf.all.forwarding=1 > /dev/null;
    sysctl net.ipv6.conf.all.forwarding=1 > /dev/null;
    iptables -A PREROUTING -t nat -p tcp -i $OUTSIDE_INTERFACE --dport $OUTSIDE_PORT -j DNAT --to-destination $INSIDE_ADDRESS:$INSIDE_PORT;
    iptables -A POSTROUTING -t nat -p tcp -d $INSIDE_ADDRESS --dport $INSIDE_PORT -j MASQUERADE;

    echo "$OUTSIDE_INTERFACE:$OUTSIDE_PORT -> $INSIDE_ADDRESS:$INSIDE_PORT";
}

reset_iptables;
forward_internet 192.168.1.0/24 wlan0;
forward_port tun0 8006 10.44.7.159 8006;
forward_port tun0 8007 10.44.7.157 8006;
forward_port tun0 7860 10.44.7.103 7860;
forward_port tun0 7861 10.44.7.100 7861;
forward_port tun0 7862 10.44.7.100 7862;
forward_port tun0 22001 10.44.7.111 22;
forward_port tun0 22002 10.44.7.100 22;
forward_port tun0 22003 10.44.7.105 22;
forward_port tun0 80 10.44.7.111 80;
forward_port tun0 443 10.44.7.111 443;
forward_port tun0 35566 10.44.7.112 35566;
forward_port wlan0 8006 10.44.7.159 8006;
forward_port wlan0 8007 10.44.7.157 8006;
forward_port tun0 8033 10.44.7.114 80;
forward_port tun0 25 10.44.7.102 25;
forward_port tun0 587 10.44.7.102 587;
forward_port tun0 465 10.44.7.102 465;

```

Devices on any network that have a `192.168.1.x` can make this router a gateway and connect to the Internet:



Requests made to this router from interface `tun0` for port `8006` will be forwarded to `10.44.7.159:8006`:

    forward_port tun0 8006 10.44.7.159 8006;