{

$OUT .=<<"HERE";

# Forward from chilli (from the wireless clients to the internet)
forwardFromChilli()\{
    /sbin/iptables -N FORWARD_FROM_CHILLI
    /sbin/iptables -A FORWARD_FROM_CHILLI -j state_chk
    /sbin/iptables -A FORWARD_FROM_CHILLI ! -s $net -j denylog
    /sbin/iptables -A FORWARD_FROM_CHILLI ! -o \$OUTERIF -j denylog
    /sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
    # Allow http for un-authenticated clients so uamallowed works
    # Https need to be allowed in AllowedOutgoing
    /sbin/iptables -A FORWARD_FROM_CHILLI -p tcp --dport 80 -j ACCEPT

HERE

my $ReIpNum = qr{([01]?\d\d?|2[0-4]\d|25[0-5])};
my $ReIpAddr = qr{($ReIpNum\.$ReIpNum\.$ReIpNum\.$ReIpNum)|any|ANY|\*};
my $RePort = qr/\d{1,4}|[0-6]\d{4}|any|ANY|\*/;

# Allow services specidied in AllowedOutgoing
foreach (split(/[;,]/, ${'chilli'}{'AllowedOutgoing'} || '')){
	# Check the rules has the form proto:remote_host:remote_port
        next unless /^(tcp|TCP|udp|UDP):${ReIpAddr}:${RePort}$/;
        my @params = split(/:/, $_);
        my $proto = $params[0];
        my $host = $params[1];
        my $dport = $params[2];
        $OUT .= "    # $_ is allowed:\n";
        $OUT .= "    /sbin/iptables -A FORWARD_FROM_CHILLI ";
        $OUT .= "-p $proto ";
        $OUT .= "-d $host " if ($host !~ /(any|\*)/i);
        $OUT .= "--dport $dport " if ($dport !~ /(any|\*)/i);
        $OUT .= "--syn " if ($proto =~ /tcp/i);
        $OUT .= "-j ACCEPT\n"
}

foreach (split(/[;,]/, ${'chilli'}{'uamallowed'} || '')){
        # Check the rules has the form proto:remote_host:remote_port
        # Or host:port or protocol:host
        next unless /^((tcp|TCP|udp|UDP):)?(${ReIpAddr})(:${RePort})?$/;
        my @param = split(/:/, $_);
        my $proto = $param[0];
        my $host = $param[1];
        my $dport = $param[2];
        $OUT .= "    # $_ is allowed:\n";
        $OUT .= "    /sbin/iptables -A FORWARD_FROM_CHILLI ";
        $OUT .= "-p $proto " if (($proto) && ($proto ne ''));
        $OUT .= "-d $host ";
        $OUT .= "--dport $dport " if (($dport) && ($dport ne ''));
        $OUT .= "--syn " if ($proto =~ /tcp/i);
        $OUT .= "-j ACCEPT\n"
}


# Allow the two dns servers specified
$OUT .= "    # Allow dns requests to ${'chilli'}{'dns1'}\n" .
	"    /sbin/iptables -A FORWARD_FROM_CHILLI -p udp --dport 53 -d ${'chilli'}{'dns1'} -j ACCEPT\n" 
	if ((${'chilli'}{'dns1'} || '') ne '');

$OUT .= "    # Allow dns requests to ${'chilli'}{'dns2'}\n" .
	"    /sbin/iptables -A FORWARD_FROM_CHILLI -p udp --dport 53 -d ${'chilli'}{'dns2'} -j ACCEPT\n" 
        if ((${'chilli'}{'dns2'} || '') ne '');

$OUT .= "    /sbin/iptables -A FORWARD_FROM_CHILLI -j denylog\n\}\n";

}

