diff --git a/README.md b/README.md
index cf9c9a2789789f1ba807a3ee9b78099194cf732f..dafa15276e1ad9449b234bb4d0ac50fc689e83ca 100644
--- a/README.md
+++ b/README.md
@@ -41,7 +41,7 @@ reroute all incoming traffic from, say, `eth0` (where your Raspberry is
 connected to) through your wireless connection `wlan0`, you'd call the script
 like this (as **superuser**):
 ```
-# ./util/internet-sharing wlan0 eth0
+# ./util/internet-sharing wlan0 eth0 start
 ```
 
 To make the changes persistent, consult your Linux distribution's documentation.
diff --git a/util/internet-sharing b/util/internet-sharing
index 7905cbf7dbae6f2d409c329a54214cda89e21202..6afa8db74bebffe27ebd6c3ebc0a6c19445685f2 100755
--- a/util/internet-sharing
+++ b/util/internet-sharing
@@ -8,11 +8,47 @@
 # <https://wiki.archlinux.org/index.php/Internet_sharing>
 # <https://linoxide.com/firewall/ip-forwarding-connecting-private-interface-internet/>
 ################################################################################
-gwint=${1:-'net0'}  # internet gateway interface -- all outbound traffic
-clint=${2:-'net1'}  # client interface -- input traffic
+usage=$(cat <<EOF
+Usage:
 
-sysctl net.ipv4.ip_forward=1 net.ipv6.conf.default.forwarding=1 net.ipv6.conf.all.forwarding=1
+  $0 GWINTERFACE CLINTERFACE COMMAND
 
-iptables -t nat -A POSTROUTING -o $gwint -j MASQUERADE
-iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A FORWARD -i $clint -o $gwint -j ACCEPT
+where:
+
+  GWINTERFACE internet gateway interface -- all outbound traffic, e.g. "net0"
+  CLINTERFACE client interface -- input traffic, e.g. "net1"'
+  COMMAND     "start", "stop" or "restart"
+EOF
+)
+
+function do_start {
+    sysctl net.ipv4.ip_forward=1 net.ipv6.conf.default.forwarding=1 net.ipv6.conf.all.forwarding=1
+    iptables -t nat -A POSTROUTING -o $gwint -j MASQUERADE
+    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -A FORWARD -i $clint -o $gwint -j ACCEPT
+}
+
+function do_stop {
+    sysctl net.ipv4.ip_forward=0 net.ipv6.conf.default.forwarding=0 net.ipv6.conf.all.forwarding=0
+    iptables -F
+    iptables -t nat -F
+}
+
+gwint=${1:?'arg #1 missing: internet gateway interface -- all outbound traffic, e.g. "net0"'}
+clint=${2:?'arg #2 missing: client interface -- input traffic, e.g. "net1"'}
+cmmnd=${3:?'arg #3 missing: command (start, stop, restart)'}
+
+case $cmmnd in
+    start)
+        do_start
+        ;;
+    stop)
+        do_stop
+        ;;
+    restart)
+        do_stop && do_start
+        ;;
+    *)
+        echo >&2 "[error] $cmmnd: invalid command"
+        echo >&2 "${usage}"
+esac