#!/bin/sh
# @package      hubzero-firewall
# @file         firewall_on
# @author       Rick Kennel <kennell@purdue.edu>
# @copyright    Copyright (c) 2006-2012 HUBzero Foundation, LLC.
# @license      http://www.gnu.org/licenses/lgpl-3.0.html LGPLv3
#
# Copyright (c) 2006-2012 HUBzero Foundation, LLC.
#
# This file is part of: The HUBzero(R) Platform for Scientific Collaboration
#
# The HUBzero(R) Platform for Scientific Collaboration (HUBzero) is free
# software: you can redistribute it and/or modify it under the terms of
# the GNU Lesser General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any
# later version.
#
# HUBzero is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# HUBzero is a registered trademark of HUBzero Foundation, LLC.

modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe iptable_mangle

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo '1' > /proc/sys/net/ipv4/ip_forward

EXT_DEV=eth0
INT_DEV=venet0
INT_NET=10.0.0.0/8

# Set up basic firewalling to prevent just anyone from forwarding packets
# through my firewall
iptables -P FORWARD DROP
iptables -A FORWARD -i $INT_DEV -s $INT_NET -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
# Enable source NAT and forwarding
iptables -t nat -A POSTROUTING -p tcp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-50000
iptables -t nat -A POSTROUTING -p udp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-50000
iptables -t nat -A POSTROUTING -p icmp -s $INT_NET -o $EXT_DEV -j MASQUERADE
#  Allow VEs to make outbound connections only to a few things.

# Allow all containers to access the submit server on the local machine.
iptables -A FORWARD -i venet0 -o $EXT_DEV  -p tcp --dport 830:831 -j ACCEPT
# Hub Web Server
iptables -A FORWARD -i venet0 -o $EXT_DEV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i venet0 -o $EXT_DEV -p tcp --dport 443 -j ACCEPT
# DNS Servers
iptables -A FORWARD -i venet0 -o $EXT_DEV -p udp --dport 53 -j ACCEPT

# Turn on input filtering firewall
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ssh from anywhere
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow mail from anywhere
iptables -A INPUT -p tcp --dport smtp -j ACCEPT
# Allow mysql from anywhere
iptables -A INPUT -p tcp --dport mysql -j ACCEPT
# Allow ldap from anywhere
iptables -A INPUT -p tcp --dport ldap -j ACCEPT
# Allow http/https/vncproxy/submit from venet
iptables -A INPUT -p tcp -i venet0 --dport http -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport https -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport http-alt -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport 830:831 -j ACCEPT
# Allow http/https/vncproxy from everywhere
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport https -j ACCEPT
iptables -A INPUT -p tcp --dport http-alt -j ACCEPT
# Allow access the groupauth port.
iptables -A INPUT -p tcp --dport 1170 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -j ACCEPT

