#!/bin/sh
#
# Configure a Debian Edu system with 'Minimal' profile' to act as as gateway.

# The configuration below applies to a Debian Edu machine in the internal
# backbone network with two NICs, the eth0 interface attached to an existing
# router and the eth1 one attached to the backbone network 10.0.0.0/8.
#
# Author/Copyright:	Wolfgang Schweer <wschweer@arcor.de>
# Licence:			GPL2+
# first edited:		2020-04-17
# last edited:		2021-02-03
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

set -e

# usage
if [ -z "$1" ] ; then
	echo "Use $0 -h or $0 --help for more information"
	exit 0
fi

if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then
	cat <<EOF

Usage information:

$0 --firewall <yes|no>

Turn a Debian Edu system with profile 'Minimal' into a gateway.

'$0 --firewall no' configures this system as gateway.

'$0 --firewall yes' installs the 'shorewall' package in addition and
   configures this system also as a firewall.
   See https://shorewall.org/two-interface.htm#System for detailed information.
EOF
	exit 0
fi

# Prevent to do this more than one time
if ! grep -Eq 10.0.0.0 /etc/default/enable-nat ; then
    sed -i 's/auto eth0/auto eth0 eth1/' /etc/network/interfaces
    sed -i '/eth1/ s/dhcp/static/' /etc/network/interfaces
    sed -i '/post-up/d' /etc/network/interfaces
    echo 'address 10.0.0.1' >> /etc/network/interfaces
    echo 'dns-nameservers 10.0.2.2' >> /etc/network/interfaces
    echo 'dns-domain intern' >> /etc/network/interfaces
    hostname -b gateway
    hostname > /etc/hostname
    rm -f /etc/dhcp/dhclient-exit-hooks.d/hostname
    rm -f /etc/dhcp/dhclient-exit-hooks.d/wpad-proxy-update
    rm -f /etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert
    rm -f /etc/network/if-up.d/wpad-proxy-update
    sed -i 's/domain-name,//' /etc/dhcp/dhclient-debian-edu.conf
    sed -i 's/domain-search,//' /etc/dhcp/dhclient-debian-edu.conf
    service networking stop
    service networking start
    sed -i 's#NAT=#NAT="10.0.0.0/8"#' /etc/default/enable-nat
    service enable-nat restart
    echo ""
    echo "The system has been configured as gateway."
    echo ""
else
    echo ""
    echo "The system has already been configured as gateway."
    echo ""
fi

# Optionally install, configure, enable and start shorewall.
if [ "yes" = "$2" ] && [ ! -d /etc/shorewall ] ; then
    echo ""
    echo "Now setting up shorewall like requested."
    echo ""
	if grep -q / /etc/debian_version ; then
		dist=$(cat /etc/debian_version | cut -d/ -f1)
	else
		dist=$(lsb_release -sc)
	fi
	if egrep -q '^deb cdrom:' /etc/apt/sources.list ; then
		sed -i 's/deb cdrom/#deb cdrom/' /etc/apt/sources.list
		echo "deb http://deb.debian.org/debian $dist main" >> /etc/apt/sources.list
	fi
	apt update
	apt -yq install shorewall
	for i in interfaces policy rules snat stoppedrules zones ; do
		cp /usr/share/doc/shorewall/examples/two-interfaces/$i /etc/shorewall
	done
	echo "NET_IF=eth0" >> /etc/shorewall/params
	echo "NET_OPTIONS=routefilter,norfc1918" >> /etc/shorewall/params
	systemctl enable shorewall
	systemctl start shorewall
fi

# Give feedback
if [ -e /etc/shorewall/snat ] ; then
	echo ""
	echo "Shorewall has been configured for the two-interfaces setup on this system."
	echo ""
	echo "See https://shorewall.org/two-interface.htm#System for detailed information."
	echo ""
fi
