#!/bin/bash
export IF_INET="enp1s0"
export IF_LAN="enp3s0"
export IP_LAN=192.168.99.0
export IP_LAN_BITS=24

# restart network:
# 
# systemctl restart networking.service

##############################################################################
function ip_forward ()
{
  INET_PORT="$1"
  DEST_IP="$2"
  DEST_PORT="$3"

  iptables -A PREROUTING -t nat \
    -i "$IF_INET" -p tcp \
    --dport "$INET_PORT" -j DNAT \
    --to-destination "$DEST_IP":"$DEST_PORT"
  iptables -A FORWARD -p tcp \
    -d "$DEST_IP" \
    --dport "$DEST_PORT" -j ACCEPT
}

function ip_block_incoming ()
{
   # dest port can be 22, 80, or range like 20:200
   DEST_PORT="$1"
   iptables -A INPUT -i "$IF_INET" -p tcp \
     --destination-port $DEST_PORT -j DROP
   iptables -A INPUT -i "$IF_INET" -p udp \
     --destination-port $DEST_PORT -j DROP
}

function ip_block_incoming_udp ()
{
   # dest port can be 22, 80, or range like 20:200
   DEST_PORT="$1"
   iptables -A INPUT -i "$IF_INET" -p udp \
     --destination-port $DEST_PORT -j DROP
}

##############################################################################
# cleaning iptables
iptables -F
iptables -t nat -F
iptables -t mangle -F
# set up masquerading
iptables -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE
# allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

##############################################################################
# block incoming traffic we don't want

ip_block_incoming_udp 1:1024

# block up to 80
ip_block_incoming 1:79
# gap for port 80
ip_block_incoming 81:98
# gap for port 99
ip_block_incoming 100:442
# gap for port 443
ip_block_incoming 444:1024
# ...

##############################################################################
# port forward
# send port 80 to this host's port 80
ip_forward   80   192.168.99.99   80
# send port 99 to this host's port 10
ip_forward   99   192.168.99.98   10