#!/bin/bash
%if %%mode_conteneur_actif == "oui"
# Accept from containers to LXC controller
/sbin/iptables -A INPUT -i br0 -s %%adresse_network_br0/%%adresse_netmask_br0 -j ACCEPT

# Accept from LXC controller to containers
/sbin/iptables -A OUTPUT -o br0 -d %%adresse_network_br0/%%adresse_netmask_br0 -j ACCEPT

# Accept from containers to containers
/sbin/iptables -A FORWARD -i br0 -o br0 -s %%adresse_network_br0/%%adresse_netmask_br0 -d %%adresse_network_br0/%%adresse_netmask_br0 -j ACCEPT

# Accept from containers to outside
/sbin/iptables -A FORWARD -i br0 -o %%getVar('nom_zone_eth0', 'eth0') -j ACCEPT

# MASQUERADE containers getting outside
/sbin/iptables -t nat -A POSTROUTING -s %%adresse_network_br0/%%adresse_netmask_br0 -o %%getVar('nom_zone_eth0', 'eth0') -j MASQUERADE
%end if

#/sbin/iptables -A wide-wide -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A wide-wide -j DROP
#/sbin/iptables -A FORWARD -i %%nom_zone_eth0 -o %%nom_zone_eth0 -j wide-wide

%for num_int in %%range(0, %%int(%%nombre_interfaces))
    %set %%chain = 'eth' + %%str(num_int) + '-root'
/sbin/iptables -A %%chain -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A %%chain -j DROP
/sbin/iptables -A INPUT -i %%getVar('nom_zone_eth' + %%str(num_int)) -j %%chain

%if %%mode_conteneur_actif == "oui"
    %set %%chain_cont = 'eth' + %%str(num_int) + '-cont'
/sbin/iptables -A %%chain_cont -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A %%chain_cont -j DROP
/sbin/iptables -A FORWARD -i %%getVar('nom_zone_eth' + %%str(num_int)) -o br0 -j %%chain_cont
%end if
%end for
