#!/bin/bash
# vlan_firewall.sh - Configure firewall rules for VLAN isolation
# This script sets up basic firewall rules for TP-Link router or iptables-based systems

set -euo pipefail

echo "Configuring VLAN firewall rules..."

# VLAN 10: Management (192.168.10.0/24)
# VLAN 20: Services (192.168.20.0/24)
# VLAN 1: Default LAN (192.168.1.0/24)

# Allow management VLAN to access all networks
sudo iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT

# Allow services VLAN to access default LAN on specific ports only
# Port 53 (DNS), 80 (HTTP), 443 (HTTPS), 9000 (Portainer), 8080 (Traefik)
sudo iptables -A FORWARD -s 192.168.20.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 53,80,443,9000,8080 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.20.0/24 -d 192.168.1.0/24 -p udp --dport 53 -j ACCEPT

# Block all other traffic from services VLAN to default LAN
sudo iptables -A FORWARD -s 192.168.20.0/24 -d 192.168.1.0/24 -j DROP

# Allow default LAN to access services VLAN
sudo iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.20.0/24 -j ACCEPT

# Allow established connections
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Saving iptables rules..."
sudo iptables-save | sudo tee /etc/iptables/rules.v4

echo "VLAN firewall rules configured."
echo "Note: For TP-Link router, configure ACLs via web UI using similar logic."