#!/bin/sh
# @package      hubzero-iptables-basic
# @file         hubzero-iptables-basic
# @author       Nicholas J. Kisseberth <nkissebe@purdue.edu>
# @copyright    Copyright (c) 2006-2017 HUBzero Foundation, LLC.
# @license      http://opensource.org/licenses/MIT MIT
#
# Copyright (c) 2006-2017 HUBzero Foundation, LLC.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# HUBzero is a registered trademark of HUBzero Foundation, LLC.

modprobe ip_tables

modprobe iptable_nat

modprobe iptable_filter

modprobe iptable_mangle

modprobe ip_conntrack_ftp

modprobe ip_nat_ftp

if [ -f /etc/sysconfig/hubzero-iptables-basic ]
then
    . /etc/sysconfig/hubzero-iptables-basic
fi

if [ -f /etc/default/hubzero-iptables-basic ]
then
    . /etc/default/hubzero-iptables-basic
fi

if [ -z "$LO_DEV" ]
then
LO_DEV=lo
fi

if [ "$1" = "off" -o "$1" = "stop" ]
then
	iptables -P INPUT DROP

	iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport ssh -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport smtp -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport mysql -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport ldap -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport http -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport https -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport http-alt -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport 830 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport 831 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport 830:831 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport 8000 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport 8443 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p tcp -m tcp --dport 1170 -j ACCEPT 2> /dev/null

	# nlockmgr
	iptables -D INPUT -p tcp -m tcp --dport 45990 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p udp -m udp --dport 41935 -j ACCEPT 2> /dev/null
	# nfs
	iptables -D INPUT -p tcp -m tcp --dport 2049 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p udp -m udp --dport 2049 -j ACCEPT 2> /dev/null
	# mountd
	iptables -D INPUT -p tcp -m tcp --dport 56186 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p udp -m udp --dport 52892 -j ACCEPT 2> /dev/null
	# portmapper
	iptables -D INPUT -p tcp -m tcp --dport 111 -j ACCEPT 2> /dev/null
	iptables -D INPUT -p udp -m udp --dport 111 -j ACCEPT 2> /dev/null

	iptables -D INPUT -p icmp -j ACCEPT 2> /dev/null
	iptables -D INPUT -i $LO_DEV -j ACCEPT 2> /dev/null
	iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2> /dev/null
	iptables -D INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT --reject-with icmp-host-prohibited 2> /dev/null

	if ! iptables -C INPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	fi

	if ! iptables -C INPUT -p icmp -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p icmp -j ACCEPT
	fi

	if ! iptables -C INPUT -p tcp -m tcp --dport ssh -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport ssh -j ACCEPT
	fi

	if ! iptables -C INPUT -s 127.0.0.0/8 -j DROP 2> /dev/null
	then
		iptables -A INPUT -s 127.0.0.0/8 -j DROP
	fi

	if ! iptables -C INPUT -i $LO_DEV -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -i $LO_DEV -j ACCEPT
	fi

	iptables -P OUTPUT DROP

	if ! iptables -C OUTPUT -o $LO_DEV -j ACCEPT 2> /dev/null
	then
		iptables -I OUTPUT -o $LO_DEV -j ACCEPT
	fi

	if ! iptables -C OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT 2> /dev/null
	then
		iptables -I OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
	fi

elif [ "$1" = "on" -o "$1" = "start" ]
then
	# Set iptables INPUT chain policy to DROP
	iptables -P INPUT DROP

	# ssh service
	if ! iptables -C INPUT -p tcp -m tcp --dport ssh -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport ssh -j ACCEPT
	fi

	# mail service
	if ! iptables -C INPUT -p tcp -m tcp --dport smtp -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport smtp -j ACCEPT
	fi

	# mysql service
	if ! iptables -C INPUT -p tcp -m tcp --dport mysql -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport mysql -j ACCEPT
	fi

	# ldap service
	if ! iptables -C INPUT -p tcp -m tcp --dport ldap -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport ldap -j ACCEPT
	fi

	# web service
	if ! iptables -C INPUT -p tcp -m tcp --dport http -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport http -j ACCEPT
	fi

	# secure web service
	if ! iptables -C INPUT -p tcp -m tcp --dport https -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport https -j ACCEPT
	fi

	# vnc websocket proxy service
	if ! iptables -C INPUT -p tcp -m tcp --dport http-alt -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport http-alt -j ACCEPT
	fi

	# secure vnc websocket proxy service
	if ! iptables -C INPUT -p tcp -m tcp --dport 8443 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
	fi

	# front-proxy
	if ! iptables -C INPUT -p tcp -m tcp --dport 8000 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
	fi

	# submit services
	if ! iptables -C INPUT -p tcp -m tcp --dport 830 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport 830 -j ACCEPT
	fi

	# submit services
	if ! iptables -C INPUT -p tcp -m tcp --dport 831 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport 831 -j ACCEPT
	fi

	# portmapper
	if ! iptables -C INPUT -p tcp -m tcp --dport 111 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport 111 -j ACCEPT
	fi
	if ! iptables -C INPUT -p udp -m udp --dport 111 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p udp -m udp --dport 111 -j ACCEPT
	fi

	# mountd
	if ! iptables -C INPUT -p tcp -m tcp --dport 56186 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport 56186 -j ACCEPT
	fi
	if ! iptables -C INPUT -p udp -m udp --dport 52892 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p udp -m udp --dport 52892 -j ACCEPT
	fi
	
	# nfs
	if ! iptables -C INPUT -p tcp -m tcp --dport 2049 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
	fi
	if ! iptables -C INPUT -p udp -m udp --dport 2049 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p udp -m udp --dport 2049 -j ACCEPT
	fi

	# nlockmgr
	if ! iptables -C INPUT -p tcp -m tcp --dport 45990 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p tcp -m tcp --dport 45990 -j ACCEPT
	fi
	if ! iptables -C INPUT -p udp -m udp --dport 41935 -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p udp -m udp --dport 41935 -j ACCEPT
	fi

	# Accept ICMP traffic (ping)
	if ! iptables -C INPUT -p icmp -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -p icmp -j ACCEPT
	fi

	# Accept all traffic from localhost interface
	if ! iptables -C INPUT -i $LO_DEV -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -i $LO_DEV -j ACCEPT
	fi

	# Accept all traffic from established/related connections
	if ! iptables -C INPUT  -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2> /dev/null
	then
		iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	fi
fi

if [ -f /var/run/fail2ban/fail2ban.pid -a -f /usr/bin/fail2ban-server ]
then
	if which invoke-rc.d >/dev/null 2>&1; then
		invoke-rc.d fail2ban restart
	else
		/etc/init.d/fail2ban restart
	fi
fi

