#!/bin/sh

curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}

# Block RFC1918 and APIPA destination via WAN
/sbin/iptables -P OUTPUT ACCEPT
for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
done

# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1

# restart when kernel panic
/sbin/sysctl kernel.panic=1

# Stop tunneldigger until bat0 is up
/usr/sbin/service tunneldigger stop

# Routing table 42
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables

# Set table for traffice with mark 4
/bin/ip rule add fwmark 0x4 table 42
/bin/ip -6 rule add fwmark 0x4 table 42

# Set mark 4 to Freifunk traffic
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4

# NAT on eth0
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# All from FF IPv4 via routing table 42
/bin/ip rule add from 185.66.193.104/30 lookup 42
/bin/ip -6 rule add from  2a03:2260:121::/64 lookup 42

# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0

# Create Tunneldigger Bridge
/sbin/brctl addbr br-nodes
/sbin/ip link set dev br-nodes up
/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
/usr/local/sbin/batctl if add br-nodes

sleep 5

# Start tunneldigger
/bin/systemctl restart tunneldigger
/bin/systemctl enable tunneldigger

# radvd restart
/bin/systemctl restart radvd
/bin/systemctl enable radvd

# restart DHCP
/bin/systemctl restart isc-dhcp-server
/bin/systemctl enable isc-dhcp-server

exit 0