better gw script

gw.sh

@@ -8,7 +8,7 @@ sumary="$0 [options]"
 usage[l]="Locale iface"
 varia[l]=local_iface
 
-usage[w]="wan iface (must be already configured)"
+usage[w]="wan iface (must be already configured. If you want the local net to have internet access, you need to put your gw here)"
 varia[w]=wan_iface
 wan_iface=
 
@@ -48,32 +48,46 @@ fi
 
 root_or_die
 
-run nmcli device set "$local_iface" managed no
+run    nmcli device set $local_iface managed no
-clean "nmcli device set "$local_iface" managed yes"
+clean "nmcli device set $local_iface managed yes"
 
-run ip a add "$net.$host_ip/$netmask" dev "$local_iface"
+run    ip a add $net.$host_ip/$netmask dev $local_iface
-clean "ip a del "$net.$host_ip/$netmask" dev $local_iface"
+clean "ip a del $net.$host_ip/$netmask dev $local_iface"
 
-if [ -z "$wan_iface" ] ; then
+if [ -n "$wan_iface" ] ; then
+	old_value="$(sysctl net.ipv4.ip_forward)"
 	run sysctl net.ipv4.ip_forward=1
-	clean "sysctl net.ipv4.ip_forward=0"
+	clean "sysctl net.ipv4.ip_forward=$old_value"
 
-	run iptables -A OUTPUT -d $net.0/$netmask -j ACCEPT
+	# Allow paquets to local network
-	run iptables -A INPUT  -s $net.0/$netmask -j ACCEPT
+	run    iptables -A OUTPUT -d $net.0/$netmask -o $local_iface -j ACCEPT
-	run iptables -A INPUT  -s 255.255.255.255 -j ACCEPT
+	clean "iptables -D OUTPUT -d $net.0/$netmask -o $local_iface -j ACCEPT"
-	run iptables -A INPUT  -i "$local_iface" -j ACCEPT
 
-	run iptables -t nat -A POSTROUTING -o "$wan_iface" -j MASQUERADE
+	# Allow input from local network
-	run iptables -A FORWARD -i "$wan_iface" -o "$local_iface" -m state --state RELATED,ESTABLISHED -j ACCEPT
+	run    iptables -A INPUT -s $net.0/$netmask -i $local_iface -j ACCEPT
-	run iptables -A FORWARD -i "$local_iface" -o "$wan_iface"  -j ACCEPT
+	clean "iptables -D INPUT -s $net.0/$netmask -i $local_iface -j ACCEPT"
+	
+	# Nat paquets from local network
+	run    iptables -t nat -A POSTROUTING -s $net.0/$netmask -j MASQUERADE
+	clean "iptables -t nat -D POSTROUTING -s $net.0/$netmask -j MASQUERADE"
+
+	# Allow related paquets to come back in local network
+	run    iptables -A FORWARD -o $local_iface -m state --state RELATED,ESTABLISHED -j ACCEPT
+	clean "iptables -D FORWARD -o $local_iface -m state --state RELATED,ESTABLISHED -j ACCEPT"
+
+	# Forward paquets from local net
+	run    iptables -A FORWARD -i $local_iface -j ACCEPT
+	clean "iptables -D FORWARD -i $local_iface -j ACCEPT"
 fi
 
 if $enable_dhcp ; then
 	# For dhcp offers
-	run iptables -A OUTPUT -d 255.255.255.255/32 -j ACCEPT
+	run    iptables -A OUTPUT -d 255.255.255.255/32 -j ACCEPT
+	clean "iptables -D OUTPUT -d 255.255.255.255/32 -j ACCEPT"
+	run    iptables -A INPUT  -s 255.255.255.255 -j ACCEPT
+	clean "iptables -D INPUT  -s 255.255.255.255 -j ACCEPT"
 	
-	run dnsmasq "--dhcp-range=$net.100,$net.199,1m" --server=9.9.9.9 -q --listen-address "$net.$host_ip" --interface "$local_iface" -p0 -d &
+	start dnsmasq "--dhcp-range=$net.100,$net.199,1m" --server=9.9.9.9 -q --listen-address "$net.$host_ip" --interface "$local_iface" -p0 -d
-	clean "kill %1"
 fi
 
 
@@ -90,13 +104,12 @@ if $enable_hostapd ; then
 		wpa_passphrase=$psk
 		wpa_key_mgmt=WPA-PSK WPA-EAP
 	EOF
-	hostapd -d "$hostapd_config" &
+	start hostapd -d "$hostapd_config"
-	clean "kill %2"
 fi
 
 echo "PRESS CTRL+C TO QUIT"
-while true ; do
+while : ; do
-	sleep 100000000
+	sleep infinity
 done
 
 clean