#!/bin/bash

add_NAT_forwarding() {
    if [ "$#" -ne 6 ]; then
        echo "Usage: $0 <interface_source> <tcp_or_udp> <original_destination_ip> <original_destination_port> <forward_to_ip> <forward_to_port>"
        exit 1
    fi

    interface_source="$1"
    tcp_or_udp="$2"
    original_destination_ip="$3"
    original_destination_port="$4"
    forward_to_ip="$5"
    forward_to_port="$6"

    firewall-cmd --add-rich-rule "rule family=\"ipv4\" destination address=\"$original_destination_ip\" forward-port port=\"$original_destination_port\" protocol=\"$tcp_or_udp\" to-addr=\"$forward_to_ip\" to-port=\"$forward_to_port\"" --permanent > /dev/null

    echo "+ [$interface_source][$tcp_or_udp] $original_destination_ip:$original_destination_port --> $forward_to_ip:$forward_to_port"
}

remove_NAT_forwarding() {
    if [ "$#" -ne 6 ]; then
        echo "Usage: $0 <interface_source> <tcp_or_udp> <original_destination_ip> <original_destination_port> <forward_to_ip> <forward_to_port>"
        exit 1
    fi

    interface_source="$1"
    tcp_or_udp="$2"
    original_destination_ip="$3"
    original_destination_port="$4"
    forward_to_ip="$5"
    forward_to_port="$6"

    firewall-cmd --remove-rich-rule "rule family=\"ipv4\" destination address=\"$original_destination_ip\" forward-port port=\"$original_destination_port\" protocol=\"$tcp_or_udp\" to-addr=\"$forward_to_ip\" to-port=\"$forward_to_port\"" --permanent > /dev/null

    echo "- [$interface_source][$tcp_or_udp] $original_destination_ip:$original_destination_port --> $forward_to_ip:$forward_to_port"
}

# Actual script
if [ `id -u` -ne 0 ]; then
    echo "This scripts only runs as root."
    exit 2
fi

if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <up/down>"
    exit 1
fi
action="$1"


for rule in "${RULES[@]}"; do
    protocol="tcp"

    if [[ "$rule" == */udp ]]; then
        protocol="udp"
        rule="${rule%/udp}" # Remove "/udp" from the end of the string
    fi

    IFS=":" read -ra parts <<< "$rule"
    port_origin="${parts[0]}"
    forward_port="${parts[1]}"

    # Appeler la fonction appropriée en fonction de l'action spécifiée
    case "$action" in
        "up")
            add_NAT_forwarding "$INTERFACE_SOURCE" "$protocol" "$ORIGINAL_DESTINATION_IP" "$port_origin" "$FORWARD_TO_IP" "$forward_port"
            ;;
        "down")
            remove_NAT_forwarding "$INTERFACE_SOURCE" "$protocol" "$ORIGINAL_DESTINATION_IP" "$port_origin" "$FORWARD_TO_IP" "$forward_port"
            ;;
        *)
            echo "Invalid action. Use 'up' or 'down'."
            exit 1
            ;;
    esac
done

case "$action" in
    "up")
        firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o "$INTERFACE_SOURCE" -s "$FORWARD_TO_IP" -j SNAT --to-source "$ORIGINAL_DESTINATION_IP"
        ;;
    "down")
        firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -o "$INTERFACE_SOURCE" -s "$FORWARD_TO_IP" -j SNAT --to-source "$ORIGINAL_DESTINATION_IP"
        ;;
    *)
        echo "Invalid action. Use 'up' or 'down'."
        exit 1
        ;;
esac

firewall-cmd --reload > /dev/null

echo -e "\nDone! Don't forget to add/remove the rules in the security list."