#!/bin/bash

function reset_firewall() {
   # ipv4
   # global policy
  iptables -P INPUT   ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT  ACCEPT
   # erase rules
  iptables -F
  iptables -X
   #
   #
   # ipv6
   # global policy
  ip6tables -P INPUT   ACCEPT
  ip6tables -P FORWARD ACCEPT
  ip6tables -P OUTPUT  ACCEPT
   # erase rules
  ip6tables -F
  ip6tables -X
   #
}

function preset_firewall() {
   # ipv4
   # global policy
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT ACCEPT
   # open localhost
  iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
   # open ntp
  iptables -A INPUT -p udp --dport 123 -j ACCEPT
  iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
  iptables -A INPUT -p tcp --dport 123 -j ACCEPT
  iptables -A OUTPUT -p tcp --sport 123 -j ACCEPT
   # open dns
  iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
  iptables -A INPUT -p udp --sport 53  -j ACCEPT
  iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
  iptables -A INPUT -p tcp --sport 53  -j ACCEPT

   # open 192.168.127.0-192.168.127.111 (127) for NewGen
  iptables -A INPUT -s 192.168.127.0/25 -j ACCEPT
   # for ssh
  iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -A INPUT -p udp --dport 22 -j ACCEPT
   # open vnc
  iptables -A INPUT -p tcp --dport 5800  -j ACCEPT
  iptables -A INPUT -p tcp --dport 5900  -j ACCEPT
   # allow ping
  iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
   # allow ftp
  iptables -P INPUT DROP
  iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp --dport 21 -j ACCEPT
  iptables -A INPUT -p tcp --dport 20 -j ACCEPT
   # allow telnet
  iptables -A INPUT -p tcp --dport 23 -j ACCEPT
   #
   #
   # ipv6
   # global policy
  ip6tables -P INPUT DROP
  ip6tables -P FORWARD DROP
  ip6tables -P OUTPUT ACCEPT

   # allow established
  ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

   # open localhost
  ip6tables -A INPUT -s ::1 -i lo -j ACCEPT
  ip6tables -A INPUT -i lo -j ACCEPT

  # open ntp
  ip6tables -A INPUT -p udp --dport 123 -j ACCEPT
  ip6tables -A OUTPUT -p udp --sport 123 -j ACCEPT
  ip6tables -A INPUT -p tcp --dport 123 -j ACCEPT
  ip6tables -A OUTPUT -p tcp --sport 123 -j ACCEPT

   # open dns
  ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
  ip6tables -A INPUT -p udp --sport 53  -j ACCEPT
  ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
  ip6tables -A INPUT -p tcp --sport 53  -j ACCEPT

   # allow ssh
  ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
  ip6tables -A INPUT -p udp --dport 22 -j ACCEPT

   # allow ping
  ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
  ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

   # allow ftp
  ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
  ip6tables -A INPUT -p tcp --dport 20 -j ACCEPT

   # allow telnet
  ip6tables -A INPUT -p tcp --dport 23 -j ACCEPT

}

function routing-on() {
   # ipv4
   echo 1 > /proc/sys/net/ipv4/ip_forward
   echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -A INPUT -j ACCEPT
   route add -net 172.16.0.0/12 eth0
   #
   # ipv6 TBD if need be
   #
   #echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
   #echo 1 > /proc/sys/net/ipv6/conf/all/proxy_ndp
   #ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   #ip6tables -P FORWARD ACCEPT
   #ip6tables -P OUTPUT ACCEPT
   #ip6tables -A INPUT -j ACCEPT

}

function routing-off() {
   # ipv4
   echo 0 > /proc/sys/net/ipv4/ip_forward
   echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
  iptables -F
  iptables -t nat -F
  iptables -X
   route del -net 172.16.0.0/12 eth0 >/dev/null 2>&1
   #
   # ipv6 TBD if need be
   #
   #echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
   #echo 0 > /proc/sys/net/ipv6/conf/all/proxy_ndp
   #ip6tables -F
   #ip6tables -t nat -F
   #ip6tables -X

}

function set_firewall() {

IP_TABLE_CMD=""
IPV4_TAG="[IPV4]"
IPV6_TAG="[IPV6]"

   sed 's/[#;].*$//' /home/secuser/firewall.conf | cat -s > /tmp/firewall.conf_tmp
   while read line
   do
      if [ "${#line}" != 0 ] && [ "${#line}" != \#* ]; then
         if [ "$line" == "$IPV4_TAG" ]; then
            echo -e "  *****    FOUND IPV4 SECTION-TAG *****\n"
            IP_TABLE_CMD="iptables "
            continue
         fi
         if [ "$line" == "$IPV6_TAG" ]; then
            echo -e "  *****    FOUND IPV6 SECTION-TAG *****\n"
            IP_TABLE_CMD="ip6tables "
            continue
         fi
         if [ "$IP_TABLE_CMD" == "" ]; then
            echo -e "missing IP version section-tag for line:\n  $line\n"
            continue
         fi
         #echo -e "executing CMD: $IP_TABLE_CMD$line\n"
         $IP_TABLE_CMD$line
         if [ $? -ne 0 ]; then
            echo -e "Command failed:\n  $line\n"
         fi
      fi
   done < /tmp/firewall.conf_tmp
   rm -rf /tmp/firewall.conf_tmp
}

   echo "Reset firewall"
   # Erase old configuration
   reset_firewall

   if [  `grep "firewall=no" /proc/cmdline | wc -l` == 1 ]; then
      if [ -f /home/secuser/firewall.conf ]; then
         echo "Remove configuration file"
         mv /home/secuser/firewall.conf /home/secuser/firewall.conf_removed
      fi
   fi

   if [ "$1" != "--reset" ]; then
      if [ -f /root/.software-routing-on ]; then
         echo "Set routing-on"
         routing-on
      else
         echo "Set routing-off"
         routing-off
      fi
      if [ -f /home/secuser/firewall.conf ]; then
         echo "Set system rules"
         preset_firewall
         echo "Parse user configuration file"
         set_firewall
      fi
   fi

   /etc/init.d/iptables save
   /etc/init.d/ip6tables save

