#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
#Added for zerina start - BEGIN
	/usr/local/bin/openvpnctrl --create-chains-and-rules
#Added for zerina start - END

## Added to block outbound SMTP except mail server -- BEGIN

EMAILSERVER="192.168.1.250"

#/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s $EMAILSERVER --dport 25 -j LOG --log-prefix "ALLOWED_SMTP "
#/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s $EMAILSERVER --dport 465 -j LOG --log-prefix "ALLOWED_SMTP-SSL "

# allow smtp from mail server

/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s $EMAILSERVER --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s $EMAILSERVER --dport 465 -j ACCEPT

# log stuff that is not the mail server

/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 --dport 25 -j LOG --log-prefix "REJECTED_SMTP "
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0  --dport 465 -j LOG --log-prefix "REJECTED_SMTP-SSL "


#block all other outgoing SMTP traffic

/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 --dport 465 -j REJECT


## Added to block outbound SMTP except mail server -- END

## Dave added to block Natalie - BEGIN
#/sbin/iptables -A CUSTOMFORWARD -i eth0 -s 192.168.1.50 -j LOG --log-prefix "REJECTED_NATASHA "
#/sbin/iptables -A CUSTOMFORWARD -i eth0 -s 192.168.1.51 -j LOG --log-prefix "REJECTED_NATASHA "
#
#/sbin/iptables -A CUSTOMFORWARD -i eth0 -s 192.168.1.50 -j REJECT
#/sbin/iptables -A CUSTOMFORWARD -i eth0 -s 192.168.1.51 -j REJECT
#
## Dave added to block Natalie - END


        ;;
  stop)
        ## add your 'stop' rules here
#Added for zerina stop - BEGIN
	/usr/local/bin/openvpnctrl --delete-chains-and-rules
#Added for zerina stop - END

### Added to block outbound SMTP except mail server -- BEGIN
# uncomment if you log stuff that is the mail server

#/sbin/iptables -D CUSTOMFORWARD -p tcp -i eth0 -s $EMAILSERVER --dport 25 -j LOG --log-prefix "ALLOWED_SMTP "
#/sbin/iptables -D CUSTOMFORWARD -p tcp -i eth0 -s $EMAILSERVER --dport 465 -j LOG --log-prefix "ALLOWED_SMTP-SSL "

# allow smtp from mail server

/sbin/iptables -D CUSTOMFORWARD -p tcp -i eth0 -s $EMAILSERVER --dport 25 -j ACCEPT
/sbin/iptables -D CUSTOMFORWARD -p tcp -i eth0 -s $EMAILSERVER --dport 465 -j ACCEPT

# log stuff that is not the mail server

/sbin/iptables -D CUSTOMFORWARD -p tcp -i eth0 --dport 25 -j LOG --log-prefix "REJECTED_SMTP "
/sbin/iptables -D CUSTOMFORWARD -p tcp -i eth0  --dport 465 -j LOG --log-prefix "REJECTED_SMTP-SSL "

# block all other outgoing SMTP traffic

/sbin/iptables -D CUSTOMFORWARD -p tcp -i eth0 --dport 25 -j REJECT
/sbin/iptables -D CUSTOMFORWARD -p tcp -i eth0 --dport 465 -j REJECT

## Added to block outbound SMTP except mail server -- END

## Dave added to block Natalie - BEGIN
#
#/sbin/iptables -D CUSTOMFORWARD -i eth0 -s 192.168.1.50 -j LOG --log-prefix "REJECTED_NATASHA "
#/sbin/iptables -D CUSTOMFORWARD -i eth0 -s 192.168.1.51 -j LOG --log-prefix "REJECTED_NATASHA "
#
#/sbin/iptables -D CUSTOMFORWARD -i eth0 -s 192.168.1.50 -j REJECT
#/sbin/iptables -D CUSTOMFORWARD -i eth0 -s 192.168.1.51 -j REJECT
## Dave added to block Natalie - END


        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac