#!/bin/sh
# @package      hubzero-mw-iptables-basic
# @file         hubzero-mw-iptables-basic
# @author       Nicholas J. Kisseberth <nkissebe@purdue.edu>
# @copyright    Copyright (c) 2006-2017 HUBzero Foundation, LLC.
# @license      http://opensource.org/licenses/MIT MIT
#
# Copyright (c) 2006-2017 HUBzero Foundation, LLC.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# HUBzero is a registered trademark of HUBzero Foundation, LLC.

/sbin/modprobe ip_tables

/sbin/modprobe iptable_nat

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_ftp

if [ -f /etc/sysconfig/hubzero-mw-iptables-basic ]
then
    . /etc/sysconfig/hubzero-mw-iptables-basic
fi

if [ -f /etc/default/hubzero-mw-iptables-basic ]
then
    . /etc/default/hubzero-mw-iptables-basic
fi

if [ -z "$INT_DEV" ]
then
INT_DEV=venet0
fi

# Default is typically eth0
if [ -z "$EXT_DEV" ]
then
EXT_DEV=`ip route ls | grep default | grep -Po '(?<=(dev )).*'`
fi

if [ -z "$INT_NET" ]
then
INT_NET=192.168.0.0/16
fi

if [ "$1" = "off" -o "$1" = "stop" ]
then
	# Set iptables FORWARD chain policy to DROP

	iptables -P FORWARD DROP

	iptables -D FORWARD -i $INT_DEV -s $INT_NET -j ACCEPT 2> /dev/null
	iptables -D FORWARD -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT 2> /dev/null

	iptables -D FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 830:831 -j ACCEPT 2> /dev/null
	iptables -D FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 830 -j ACCEPT 2> /dev/null
	iptables -D FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 831 -j ACCEPT 2> /dev/null
	iptables -D FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 2> /dev/null
	iptables -D FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 2> /dev/null
	iptables -D FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 2> /dev/null

	iptables -t nat -D POSTROUTING -p tcp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-50000 2> /dev/null
	iptables -t nat -D POSTROUTING -p udp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-50000 2> /dev/null
	iptables -t nat -D POSTROUTING -p icmp -s $INT_NET -o $EXT_DEV -j MASQUERADE 2> /dev/null

elif [ "$1" = "on" -o "$1" = "start" ]
then
	# Enable IP forwarding. Allows host to accept packets destined for containers

	echo '1' > /proc/sys/net/ipv4/ip_forward

	# Set iptables FORWARD chain policy to DROP

	iptables -P FORWARD DROP

	# Forward traffic from establicshed, related or DNAT connections

	if ! iptables -C FORWARD -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT 2> /dev/null
	then
		iptables -I FORWARD -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
	fi

	# Forward  some traffic from tool containers so they can make some outbound connections 
	# @TODO: This was probably meant to be limited to the hub web server originally

	if ! iptables -C FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 830 -j ACCEPT 2> /dev/null
	then
		iptables -A FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 830 -j ACCEPT # submit services
	fi

	if ! iptables -C FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 831 -j ACCEPT 2> /dev/null
	then
		iptables -A FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 831 -j ACCEPT # submit services
	fi

	if ! iptables -C FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 2> /dev/null
	then
		iptables -A FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT # web service
	fi

	if ! iptables -C FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 2> /dev/null
	then
		iptables -A FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT # secure web service
	fi

	if ! iptables -C FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 2> /dev/null
	then
		iptables -A FORWARD -i $INT_DEV -s $INT_NET -o $EXT_DEV -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT # dns service
	fi

	# Enable NAT for tool containers
	# --to-ports is used to prevent 
	#     client ports < 1024 from being used which
	#         could be used to imply trust we don't want to give tool containers
	#         (eg. NFS server with 'secure' option requires client ports < 1024)
	#     client ports < 10000 from being used which
	#         might confuse an observer into thinking a service on a well known
	#         port was in use (arbitrary port cutoff but diminishing returns on
	#         well known ports > 10000)

	if ! iptables -t nat -C POSTROUTING -p tcp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-65535 2> /dev/null
	then
		iptables -t nat -I POSTROUTING -p tcp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-65535
	fi

	if ! iptables -t nat -C POSTROUTING -p udp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-65535 2> /dev/null
	then
		iptables -t nat -I POSTROUTING -p udp -s $INT_NET -o $EXT_DEV -j MASQUERADE --to-ports 10000-65535
	fi

	if ! iptables -t nat -C POSTROUTING -p icmp -s $INT_NET -o $EXT_DEV -j MASQUERADE 2> /dev/null
	then
		iptables -t nat -I POSTROUTING -p icmp -s $INT_NET -o $EXT_DEV -j MASQUERADE
	fi

fi

if [ -f /var/run/fail2ban/fail2ban.pid -a -f /usr/bin/fail2ban-server ]
then
	if which invoke-rc.d >/dev/null 2>&1; then
		invoke-rc.d fail2ban restart
	else
		/etc/init.d/fail2ban restart
	fi
fi

