iptables script for internet connection sharing

iptables-internet-sharing.sh

#!/bin/sh

# Shares wifi with bridge device. You could also use a physical eth device, or just bind any other phy. device to bridge.
# This assumes you setup a network device called br0 and your wlan device is called wlan0. I just used systemd-networkd files
# under /etc/systemd/network. You also need to setup a DNS server on br0. I used dnsmasq as my DNS and DHCP server with "interface=br0" and 
# "dhcp-range=192.168.4.50,192.168.4.150,12h" in the config /etc/dnsmasq.conf. Your br0 should correspond to subnet mask in dnsmasq.conf 
# in my case "192.168.4.1

if [[ $(/usr/bin/id -u) -ne 0 ]]; then
    echo "Not running as root"
    exit
fi

# Setup variables
IPTABLES=/sbin/iptables
SUBNET_IFACE=br0
INTERNET_IFACE=wlan0

# Globally enable IP Forwarding
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.default.forwarding=1
sysctl net.ipv6.conf.all.forwarding=1

# Flush tables (list tables with iptables -S)
$IPTABLES -F

# Enable NAT
$IPTABLES -t nat -A POSTROUTING -o $INTERNET_IFACE -j MASQUERADE
$IPTABLES -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $SUBNET_IFACE -o $INTERNET_IFACE -j ACCEPT

# Allow 67 for DHCP Server and 53 for DNS requests
$IPTABLES -I INPUT -p udp --dport 67 -i $SUBNET_IFACE -j ACCEPT
$IPTABLES -I INPUT -p udp --dport 53 -s 192.168.4.0/24 -j ACCEPT
$IPTABLES -I INPUT -p tcp --dport 53 -s 192.168.4.0/24 -j ACCEPT

# Save settings for next boot
iptables-save > /etc/iptables/iptables.rules

# Enable service for next boot
systemctl enable iptables