update the iptables only if rule does not exist, update the ipv4 forward also when it is commented

Dockerfile

@@ -14,12 +14,6 @@ RUN chmod 755 /usr/share/easy-rsa/*
 # Copy all files in the current directory to the /opt/app directory in the container
 COPY bin /opt/app/bin
 COPY docker-entrypoint.sh /opt/app/docker-entrypoint.sh
-RUN mkdir -p /opt/app/clients \
-    /opt/app/db \
-    /opt/app/log \
-    /opt/app/pki \
-    /opt/app/staticclients \
-    /opt/app/config
 
 # Add the openssl-easyrsa.cnf file to the easy-rsa directory
 ADD openssl-easyrsa.cnf /opt/app/easy-rsa/

docker-entrypoint.sh

@@ -60,7 +60,7 @@ if [ ! -c /dev/net/tun ]; then
 fi
 
 echo 'Configuring networking rules...'
-if ! grep -q 'net.ipv4.ip_forward=1' /etc/sysctl.conf; then
+if ! grep -q -E "^\s*#?\s*net.ipv4.ip_forward=1" /etc/sysctl.conf; then
   echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf; 
   echo 'IP forwarding configuration now applied:'
 else
@@ -69,16 +69,39 @@ fi
 sysctl -p /etc/sysctl.conf
 
 echo 'Configuring iptables...'
-echo 'NAT for OpenVPN clients'
-iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j MASQUERADE
-iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j MASQUERADE
+echo 'NAT for trusted openvpn clients'
+echo "iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j MASQUERADE"
+iptables -t nat -C POSTROUTING -s $TRUST_SUB -o eth0 -j MASQUERADE 2>/dev/null|| {
+  iptables -t nat -A POSTROUTING -s $TRUST_SUB -o eth0 -j MASQUERADE
+}
+if [[ -z "${EXT_DENY_INET}" ]] || [[ "${EXT_DENY_INET}" = "false" ]]; then
+  echo 'NAT for external openvpn clients'
+  echo "iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j MASQUERADE"
+    iptables -t nat -C POSTROUTING -s $GUEST_SUB -o eth0 -j MASQUERADE 2>/dev/null|| {
+      iptables -t nat -A POSTROUTING -s $GUEST_SUB -o eth0 -j MASQUERADE
+    }
+  INET_STRING=" (Internet still available)"
+fi
+
 
 echo 'Blocking ICMP for external clients'
-iptables -A FORWARD -p icmp -j DROP --icmp-type echo-request -s $GUEST_SUB 
-iptables -A FORWARD -p icmp -j DROP --icmp-type echo-reply -s $GUEST_SUB 
+echo "iptables -A FORWARD -p icmp -j DROP --icmp-type echo-request -s $GUEST_SUB"
+iptables -C FORWARD -p icmp -j DROP --icmp-type echo-request -s $GUEST_SUB 2>/dev/null|| {
+  iptables -A FORWARD -p icmp -j DROP --icmp-type echo-request -s $GUEST_SUB
+}
+echo "iptables -A FORWARD -p icmp -j DROP --icmp-type echo-reply -s $GUEST_SUB"
+iptables -C FORWARD -p icmp -j DROP --icmp-type echo-reply -s $GUEST_SUB 2>/dev/null|| {
+  iptables -A FORWARD -p icmp -j DROP --icmp-type echo-reply -s $GUEST_SUB 
+}
+
+if [[ ! -z "${EXT_DENY_HOME_NW}" ]] && [[ "${EXT_DENY_HOME_NW}" = "true" ]]; then
+  echo "Blocking internal home subnet to access from external openvpn clients${INET_STRING}"
+  echo "iptables -A FORWARD -s $GUEST_SUB -d $HOME_SUB -j DROP"
+  iptables -C FORWARD -s $GUEST_SUB -d $HOME_SUB -j DROP 2>/dev/null|| {
+    iptables -A FORWARD -s $GUEST_SUB -d $HOME_SUB -j DROP
+  }
+fi
 
-echo 'Blocking internal home subnet to access from external openvpn clients (Internet still available)'
-iptables -A FORWARD -s $GUEST_SUB -d $HOME_SUB -j DROP
 
 if [[ ! -s fw-rules.sh ]]; then
     echo "No additional firewall rules to apply."