#!/bin/sh

IF="$1"
CMD="$2"

if [ -z "${IF}" -a -z "${CMD}" ]; then
  CMD="vpn-down";
fi

if [ -n "${IF}" -a "${IF}" != "tun0" ]; then
  exit 0
fi

case "$CMD" in
  vpn-up)
    OP="-D"
    POS="1"
    ;;
  vpn-down)
    OP="-I"
    ;;
esac

RULE="FORWARD ${POS} -i virbr+ ! -o lo -j DROP"

iptables ${OP} ${RULE}