#!/bin/sh
CONFIG="/data/rayhunter/config.toml"

case "$1" in
  start)
    if grep -q '^firewall_restrict_outbound = true' "$CONFIG" 2>/dev/null; then
        iptables -F OUTPUT
        iptables -A OUTPUT -o lo -j ACCEPT
        for br in bridge0 br0; do
            [ -d "/sys/class/net/$br" ] && iptables -A OUTPUT -o "$br" -j ACCEPT
        done
        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT
        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
        iptables -A OUTPUT -j DROP
        echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables 2>/dev/null
    fi
    ;;
  stop)
    iptables -F OUTPUT
    iptables -P OUTPUT ACCEPT
    ;;
esac
