#linux防火墙

#!/bin/bash

###############################
# debian 开启 ufw 转发上网功能
###############################

# 定义内网和外网网卡名称
INTERNAL_IFACE="ens18"
EXTERNAL_IFACE="ens19"

# 启用 IP 转发
echo "Enabling IP forwarding..."
sudo sysctl -w net.ipv4.ip_forward=1

# 永久启用 IP 转发
echo "Updating sysctl.conf for persistent IP forwarding..."
if ! grep -q "^net.ipv4.ip_forward=1" /etc/sysctl.conf; then
    sudo sh -c 'echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf'
fi
sudo sysctl -p

# 配置 UFW 以启用 NAT
echo "Configuring UFW for NAT..."

# 创建备份以防万一
BACKUP_FILE="/etc/ufw/before.rules.bak"
if [ ! -f "$BACKUP_FILE" ]; then
    sudo cp /etc/ufw/before.rules "$BACKUP_FILE"
fi

# 添加新的 NAT 配置
if ! grep -q "^# Forward traffic from $INTERNAL_IFACE to $EXTERNAL_IFACE" /etc/ufw/before.rules; then
    sudo bash -c "cat >> /etc/ufw/before.rules <<EOF
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from $INTERNAL_IFACE to $EXTERNAL_IFACE
-A POSTROUTING -o $EXTERNAL_IFACE -j MASQUERADE
COMMIT
EOF"
fi

# 设置 UFW 默认策略
echo "Setting UFW default policies..."
if ! grep -q "^DEFAULT_FORWARD_POLICY=\"ACCEPT\"" /etc/default/ufw; then
    sudo sed -i 's/^DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
fi

# 允许转发流量
echo "Allowing traffic on interfaces..."
if ! sudo ufw status verbose | grep -q "$INTERNAL_IFACE"; then
    sudo ufw allow in on $INTERNAL_IFACE
fi
if ! sudo ufw status verbose | grep -q "$EXTERNAL_IFACE"; then
    sudo ufw allow out on $EXTERNAL_IFACE
fi

# 重启 UFW 以应用更改
echo "Restarting UFW to apply changes..."
sudo ufw disable
sudo ufw enable

# 输出 UFW 状态
echo "UFW status:"
sudo ufw status verbose

echo "Configuration complete."