#!/bin/tcsh

setenv MAIN_EXTERNAL 69.43.145.244
setenv MAIL 69.43.145.245
setenv TEST1 69.43.145.245
setenv PROXY_HTTP 69.43.145.246
setenv TEST2 69.43.145.246
setenv STATIC_HTTP 69.43.145.249
setenv SCOTTRADE_HTTPS 69.43.145.250

# This is the web server which is usually hosted on dice, with dana as a
# backup.  We are sharing an IP address with mail just because that port
# was available on that IP address.  This is a lighttpd process, mostly
# aimed at our js_proxy_server.
#setenv HADOOP $MAIL
# This was all merged together.  Dice and dana serve as an HTTP reverse
# proxy (and hot backup) for most web traffic.  That all comes over
# MAIN_EXTERNAL now.

# Strange.  A few commands require an IP address, where most allow a name
setenv KAREN 192.168.1.201
setenv BEN_DOUCETTE 192.168.1.207
setenv TURTLE 192.168.1.208
setenv DRAMA 192.168.1.212
setenv SHAUNA 192.168.1.211
setenv DOM 192.168.1.214
setenv AMANDA 192.168.1.218
setenv CHUCK_LIDDELL 192.168.1.219
setenv HARVEY 192.168.1.220
setenv PABLO 192.168.1.221
setenv WALLY_BALLS 192.168.1.222
#setenv KIMMEL_PA 192.168.1.205
setenv FIVE_TOWNS 192.168.1.223
setenv TERENCE 192.168.1.224
setenv FOGELL 192.168.1.232
setenv JULES 192.168.1.233
setenv BECCA 192.168.1.234
setenv CANNES 192.168.1.241
setenv ITS_THE_COPS 192.168.1.203
setenv DICE 192.168.1.205
setenv DANA 192.168.1.202
setenv BOB_SAGET 192.168.1.227
setenv YAIR 192.168.1.242

# This is different from the setup on ari.
# These two are swapped.
setenv SAFE_INTERFACE eth0
setenv OUTSIDE_INTERFACE eth1

# This is also different from ari, this being better.
# This machine has its own dedicated addresses both inside and outside of the
# firewall.  Only when this script is run does this machine start listening
# to the addresses managed by the firewall.  These commands were copied from
# the LVS script on karen.  I think this way of adding IP addresses to an
# interface is long depricated and probably doesn't work on current versions
# of Fedora.
/sbin/ifconfig ${SAFE_INTERFACE}:0 192.168.1.1
/sbin/ifconfig ${OUTSIDE_INTERFACE}:0 $MAIN_EXTERNAL
#/sbin/ifconfig ${OUTSIDE_INTERFACE}:1 $MAIL
#/sbin/ifconfig ${OUTSIDE_INTERFACE}:2 $STATIC_HTTP
/sbin/ifconfig ${OUTSIDE_INTERFACE}:3 $PROXY_HTTP
/sbin/ifconfig ${OUTSIDE_INTERFACE}:4 $SCOTTRADE_HTTPS

# Start fresh
iptables --table nat --flush
iptables --flush
iptables --delete-chain

# This tracks all use of our ISP.  track_forwarding, below, tracks the use of each computer 
# (except the firewall) seperately.
#iptables --new-chain track_all
#iptables --append track_all --in-interface $OUTSIDE_INTERFACE -j RETURN
#iptables --append track_all --out-interface $OUTSIDE_INTERFACE -j RETURN
#iptables --append FORWARD -j track_all
#iptables --append INPUT -j track_all
#iptables --append OUTPUT -j track_all

# Source NAT.  Connections initiated from the inside use the firewall's IP
# address as their own.
iptables --table nat --append POSTROUTING --source 192.168.1.0/24 --destination 192.168.1.0/24 -j SNAT --to-source 192.168.1.1
iptables --table nat --append POSTROUTING --source 192.168.1.0/24 -j SNAT --to-source $MAIN_EXTERNAL

# By default allow no new connections.
iptables --policy INPUT DROP
# Allow unrestricted pings and SSHs to the firewall.
iptables --append INPUT --protocol icmp -j ACCEPT
iptables --append INPUT --protocol tcp --destination-port 22 -j ACCEPT
iptables --append INPUT --protocol tcp --destination-port 9025 -j ACCEPT
iptables --append INPUT --protocol tcp --destination-port 9110 -j ACCEPT
# Allow connections in progress to continue.  Apparently this includes
# connections started from within the firewall.
iptables --append INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow related connections, as used in traceroute and ftp
#iptables --append INPUT -m state --state RELATED -j ACCEPT
# Allow unrestricted access to the firewall from the safe side of the firewall.
iptables --append INPUT --in-interface $SAFE_INTERFACE -j ACCEPT
iptables --append INPUT --in-interface lo0 -j ACCEPT

# Destination NAT.  These connections were aimed at the firewall, but the 
# firewall will pass them to a specific server.
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 80 -j DNAT --to-destination $DANA
#iptables -t nat --append PREROUTING --destination $STATIC_HTTP --protocol tcp --destination-port 80 -j DNAT --to-destination $DANA



# Karen and Shauna are set up to do the old version of the proxy going through
# Apache.  Amanda is set up the new way using YAWS.  YAWS is running on port
# 8000 because it has trouble using the lower numbered ports.  We hide that
# from the outside world.
#iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 80 -j DNAT --to-destination ${KAREN}:80
#iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 80 -j DNAT --to-destination ${AMANDA}:8000
iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 80 -j DNAT --to-destination ${CHUCK_LIDDELL}:8000
#iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 80 -j DNAT --to-destination ${GURU}:8000
# https comes in on port 443 and is sent to port 8001 internally.  You cannot
# use name based virtul hosting with https.  Shanua is hosting
# secure.trade-ideas.com.  Currently karen is a hot backup for
# proxy.trade-ideas.com.  However, this should change in the near future.
# Karen should be a complete backup for shauna, and amanda should be a hot
# backup for chuck-liddell
#iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${CHUCK_LIDDELL}:8001
#iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${GURU}:8001
#iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${AMANDA}:8001
iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${KAREN}:443
#iptables -t nat --append PREROUTING --destination $PROXY_HTTP --protocol tcp --destination-port 443 -j DNAT --to-destination ${SHAUNA}:8443

#test to see if port 25 is being blocked.
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 25 -j DNAT --to-destination ${KAREN}:22

iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8022 -j DNAT --to-destination ${KAREN}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8023 -j DNAT --to-destination ${CHUCK_LIDDELL}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8024 -j DNAT --to-destination ${BEN_DOUCETTE}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8025 -j DNAT --to-destination ${TURTLE}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8026 -j DNAT --to-destination ${DRAMA}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8027 -j DNAT --to-destination ${SHAUNA}:22
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8028 -j DNAT --to-destination ${GURU}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8029 -j DNAT --to-destination ${DOM}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8030 -j DNAT --to-destination ${AMANDA}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8031 -j DNAT --to-destination ${HARVEY}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8032 -j DNAT --to-destination ${PABLO}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8033 -j DNAT --to-destination ${WALLY_BALLS}:22
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8034 -j DNAT --to-destination ${MRS_ARI}:22
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8035 -j DNAT --to-destination ${KIMMEL_PA}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8036 -j DNAT --to-destination ${FIVE_TOWNS}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8037 -j DNAT --to-destination ${TERENCE}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8038 -j DNAT --to-destination ${FOGELL}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8039 -j DNAT --to-destination ${JULES}:22
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8040 -j DNAT --to-destination ${BECCA}:22
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8041 -j DNAT --to-destination ${CANNES}:22

#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9080 -j DNAT --to-destination 192.168.0.102-192.168.0.104:80
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9080 -j DNAT --to-destination 192.168.0.201:80
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 3200 -j DNAT --to-destination 192.168.0.102-192.168.0.104:80
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 3200 -j DNAT --to-destination 192.168.0.201:80

# Test an individual HTTP server.
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 2000 -j DNAT --to-destination ${KAREN}:80
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 2001 -j DNAT --to-destination ${SHAUNA}:80

# ftp
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 20 -j DNAT --to-destination ${WILL}
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 21 -j DNAT --to-destination ${WILL}
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 1040:1049 -j DNAT --to-destination ${WILL}

# named - not advertised, but should not be a real problem.  Eventually we may
# host our own name server, but for now this is just for our own client
# machine.
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 53 -j DNAT --to-destination $WILL
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol udp --destination-port 53 -j DNAT --to-destination $WILL

# new server
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8888 -j DNAT --to-destination $GURU
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8888 -j DNAT --to-destination ${BEN_DOUCETTE}:9002 --to-destination ${BEN_DOUCETTE}:9001 --to-destination ${BEN_DOUCETTE}:9000
# scottrade uses port 443.  We send them to server.trade-ideas.com:443
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 443 -j DNAT --to-destination ${GURU}:8888


# beta test server
# This is given out to selected users outside of TI
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8889 -j DNAT --to-destination $BEN_DOUCETTE

# test port - used to see if someone could, in all likelyhood, attach to the
# new server.  Used by our test program.  The first one should display the
# time and exit quickly.  The second one should quickly reject the packet.
# The third one should work like the first; we want to see if more people have
# Does anyone still use this?  It's not delivered as part of TI Pro 3.x.
# It will probably be broken as part of installing the new firewall on 4/12/2015
# their https port wide open than other ports.
iptables -t nat --append PREROUTING --destination $TEST1 --protocol tcp --destination-port 8888 -j DNAT --to-destination ${CHUCK_LIDDELL}:13
iptables -t nat --append PREROUTING --destination $TEST2 --protocol tcp --destination-port 8888 -j DNAT --to-destination ${SHAUNA}:8888
iptables -t nat --append PREROUTING --destination $TEST1 --protocol tcp --destination-port 443 -j DNAT --to-destination ${CHUCK_LIDDELL}:13

# Alternate input addresses
# Both used by our network test program.
#ifconfig ${OUTSIDE_INTERFACE}:1 $MAIL
#ifconfig ${OUTSIDE_INTERFACE}:2 $STATIC_HTTP
ifconfig ${OUTSIDE_INTERFACE}:3 $PROXY_HTTP
ifconfig ${OUTSIDE_INTERFACE}:4 $SCOTTRADE_HTTPS

# This was an old attempt at load balancing.  iptables does a poor job of load balancing.
#iptables -t nat --append PREROUTING --destination $EXTERNAL6 --protocol tcp --destination-port 8086 -j DNAT --to-destination ${WILL}:80 --to-destination ${KAREN}:80


## Do not accept an external request for forwarding.
## Allow forwarding that we create through DNAT.
## Allow forwarding from the inside, out.
## If someone knew enough about the inside of the network, they could ask to be
## routed to a specific machine on the inside.
#iptables --append FORWARD -m conntrack --in-interface eth1 --ctorigdst 192.168.0.0/16 -j REJECT
# for some reason this doesn't work.  It matches stuff that came into the
# firewall the right way.

# By default do not allow forwarding.
# If someone knew enough about the inside of the network, they could ask the
# firewall to be a gateway.
iptables --policy FORWARD DROP
#iptables --new-chain track_forwarding
#iptables --append FORWARD -j track_forwarding
# Allow connections in progress to continue.
iptables --append FORWARD -m state --state ESTABLISHED -j ACCEPT
# Allow new connections to continue.
iptables --append FORWARD --in-interface $SAFE_INTERFACE -j ACCEPT

# TIQ server for weston.  They use westin.trade-ideas.com:9339
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9339 -j DNAT --to-destination ${FOGELL}
iptables --append FORWARD --destination fogell --protocol tcp --destination-port 9339 -j ACCEPT
# TIQ test server for weston.
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9338 -j DNAT --to-destination ${JULES}:9339
iptables --append FORWARD --destination jules --protocol tcp --destination-port 9339 -j ACCEPT
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9339 -j DNAT --to-destination ${BECCA}
iptables --append FORWARD --destination becca --protocol tcp --destination-port 9339 -j ACCEPT

# Test TI Pro server for Xetra
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9999 -j DNAT --to-destination ${BECCA}
iptables --append FORWARD --destination becca --protocol tcp --destination-port 9999 -j ACCEPT


# The following are valid and safe destinations
#iptables --append FORWARD --destination will --protocol tcp --destination-port 20 -j ACCEPT
#iptables --append FORWARD --destination will --protocol tcp --destination-port 21 -j ACCEPT
#iptables --append FORWARD --destination will --protocol tcp --destination-port 1040:1049 -j ACCEPT
iptables --append FORWARD --destination karen --protocol tcp --destination-port 80 -j ACCEPT
iptables --append FORWARD --destination bob-saget --protocol tcp --destination-port 80 -j ACCEPT
iptables --append FORWARD --destination karen --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination karen --protocol tcp --destination-port 443 -j ACCEPT
#iptables --append FORWARD --destination ben-doucette --protocol tcp --destination-port 22 -j ACCEPT
#iptables --append FORWARD --destination ben-doucette --protocol tcp --destination-port 8080 -j ACCEPT
#iptables --append FORWARD --destination $WILL --protocol tcp --destination-port 53 -j ACCEPT
#iptables --append FORWARD --destination $WILL --protocol udp --destination-port 53 -j ACCEPT
#iptables --append FORWARD --destination $WILL --protocol tcp --destination-port 8888 -j ACCEPT
#iptables --append FORWARD --destination $BEN_DOUCETTE --protocol tcp --destination-port 8800 -j ACCEPT
#iptables --append FORWARD --destination $BEN_DOUCETTE --protocol tcp --destination-port 8889 -j ACCEPT
#iptables --append FORWARD --destination $BEN_DOUCETTE --protocol tcp --destination-port 9000 -j ACCEPT
#iptables --append FORWARD --destination $BEN_DOUCETTE --protocol tcp --destination-port 9001 -j ACCEPT
#iptables --append FORWARD --destination $BEN_DOUCETTE --protocol tcp --destination-port 9002 -j ACCEPT
#iptables --append FORWARD --destination $BEN_DOUCETTE --protocol tcp --destination-port 13 -j ACCEPT
#iptables --append FORWARD --destination turtle --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination drama --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination shauna --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination dom --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination harvey --protocol tcp --destination-port 22 -j ACCEPT
#iptables --append FORWARD --destination guru --protocol tcp --destination-port 22 -j ACCEPT
#iptables --append FORWARD --destination guru --protocol tcp --destination-port 8888 -j ACCEPT
#iptables --append FORWARD --destination guru --protocol tcp --destination-port 8800 -j ACCEPT
#iptables --append FORWARD --destination guru --protocol tcp --destination-port 8000 -j ACCEPT  # web server for http tunnelling
#iptables --append FORWARD --destination guru --protocol tcp --destination-port 8001 -j ACCEPT  # web server for https tunnelling
iptables --append FORWARD --destination $SHAUNA --protocol tcp --destination-port 80 -j ACCEPT
iptables --append FORWARD --destination $SHAUNA --protocol tcp --destination-port 8888 -j ACCEPT
iptables --append FORWARD --destination $SHAUNA --protocol tcp --destination-port 443 -j ACCEPT
iptables --append FORWARD --destination $SHAUNA --protocol tcp --destination-port 8443 -j ACCEPT
iptables --append FORWARD --destination amanda --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination amanda --protocol tcp --destination-port 8000 -j ACCEPT  # web server for http tunnelling
iptables --append FORWARD --destination amanda --protocol tcp --destination-port 8001 -j ACCEPT  # web server for https tunnelling
iptables --append FORWARD --destination amanda --protocol tcp --destination-port 8888 -j ACCEPT
iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 8888 -j ACCEPT
iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 8000 -j ACCEPT  # web server for http tunnelling
iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 8001 -j ACCEPT  # web server for https tunnelling
iptables --append FORWARD --destination chuck-liddell --protocol tcp --destination-port 13 -j ACCEPT
iptables --append FORWARD --destination pablo --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination wally-balls --protocol tcp --destination-port 22 -j ACCEPT
#iptables --append FORWARD --destination mrs-ari --protocol tcp --destination-port 22 -j ACCEPT
#iptables --append FORWARD --destination kimmel-pa --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination five-towns --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination terence --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination fogell --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination jules --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination becca --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination cannes --protocol tcp --destination-port 22 -j ACCEPT
iptables --append FORWARD --destination its-the-cops --protocol tcp --destination-port 443 -j ACCEPT


# VIP is the virtual IP address that corresponds to the load balancer.  Items sent to this address will initially go to the load balancer, and then to one of the acutual workers.
# We have three different VIP addresses, depending which machine is acting as a load balancer.
# 192.168.1.10 is reserved for ben-doucette.  This machine was our first load balancer, but it will probably be deactivated soon.
# 192.168.1.11 is reserved for karen.  This machine is to become the new primary load balancer.
# 192.168.1.12 is reserved for shauna.  This machine is to become a hot backup.
setenv VIP 192.168.1.11
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8800 -j DNAT --to-destination $VIP
# iptables -t nat --append PREROUTING --source 70.179.26.162 --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8888 -j DNAT --to-destination ${VIP}:8800
iptables --append FORWARD --destination $VIP --protocol tcp --destination-port 8800 -j ACCEPT
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8888 -j DNAT --to-destination $VIP
# scottrade uses port 443.  We send them to server.trade-ideas.com:443
# server.trade-ideas.com was $MAIN_EXTERNAL but we are migrating people to
# $SCOTTRADE_HTTPS so we can do actual HTTPS on the main address.
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 443 -j DNAT --to-destination ${VIP}:8888
iptables -t nat --append PREROUTING --destination $SCOTTRADE_HTTPS --protocol tcp --destination-port 443 -j DNAT --to-destination ${VIP}:8888
# silverlight port
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 4502 -j DNAT --to-destination ${VIP}:8888
iptables --append FORWARD --destination $VIP --protocol tcp --destination-port 8888 -j ACCEPT

# Load testing for e*trade
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8437 -j DNAT --to-destination ${GURU}:8800

#now turn on forwarding in the kernel
echo "1" > /proc/sys/net/ipv4/ip_forward

# Tracking of throughput
#iptables --append track_forwarding --source vince -j RETURN
#iptables --append track_forwarding --destination vince -j RETURN
#iptables --append track_forwarding --source e -j RETURN
#iptables --append track_forwarding --destination e -j RETURN


###
### Lighttpd server
###
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8080 -j DNAT --to-destination ${ITS_THE_COPS}:80
#iptables --append FORWARD --destination ${ITS_THE_COPS} --protocol tcp --destination-port 80 -j ACCEPT
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8081 -j DNAT --to-destination ${DICE}:80
#iptables -t nat --append PREROUTING --destination $HADOOP --protocol tcp --destination-port 80 -j DNAT --to-destination ${DANA}:80
#iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 443 -j DNAT --to-destination $SHAUNA
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 443 -j DNAT --to-destination $DANA
iptables --append FORWARD --destination ${DICE} --protocol tcp --destination-port 80 -j ACCEPT
iptables --append FORWARD --destination ${DANA} --protocol tcp --destination-port 80 -j ACCEPT
iptables --append FORWARD --destination ${DICE} --protocol tcp --destination-port 443 -j ACCEPT
iptables --append FORWARD --destination ${DANA} --protocol tcp --destination-port 443 -j ACCEPT

###
### New TIQ server.
### Currently named tiq2.trade-ideas.com
###
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 9369 -j DNAT --to-destination ${BECCA}:9369
iptables --append FORWARD --destination ${BECCA} --protocol tcp --destination-port 9369 -j ACCEPT
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 8369 -j DNAT --to-destination ${YAIR}:8369
iptables --append FORWARD --destination ${YAIR} --protocol tcp --destination-port 8369 -j ACCEPT

# The candle server on becca.
iptables -t nat --append PREROUTING --destination $MAIN_EXTERNAL --protocol tcp --destination-port 1986 -j DNAT --to-destination ${BECCA}:1986
iptables --append FORWARD --destination ${BECCA} --protocol tcp --destination-port 1986 -j ACCEPT