#!/bin/bash
#
### BEGIN INIT INFO
# Provides: bm-iptables
# Required-Start: $syslog $network
# Required-Stop: $syslog $network
# Should-Start: bm-core
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: BM iptables rules.
# Description: init system for BlueMind iptables rules.
### END INIT INFO

test -f ~/core.debug && exit 0

# Debian/Ubuntu
[ -f /lib/init/vars.sh ] && source /lib/init/vars.sh
[ -f /lib/lsb/init-functions ] && source /lib/lsb/init-functions
# RH
[ ! -f /lib/lsb/init-functions ] && [ -f /etc/init.d/functions ] && source /etc/init.d/functions

[ -d /run/systemd/system ] && systemctl is-active --quiet firewalld && sleep 3

if [ "$VERBOSE" == "yes" ]; then
    set -x
fi

BM_SERVICE="BlueMind iptables rules"

IP6TABLES=1
if command -v ip6tables &> /dev/null; then
    IP6TABLES=0
fi
iptables_timeout="-w 10"

cyrus="24 1110 1143 2000 2502"
http="81"
lmtp="2400"
milter="2500"
mapi=5001
pg="5432"
cassandra="7000 9042"
node="8022"
webserver="8080"
eas="8082"
core="2501 8090"
tika="8087"
influxdb="8086"
chronograph="8888"
kapacitor="9092"
es="9200 9300"
memcache="11211"
keycloak="8099"
keycloak_mgmt="8100"
keydb="6379"

bmPorts="${r"${cyrus}"} \
	 ${r"${http}"} \
	 ${r"${lmtp}"} \
	 ${r"${milter}"} \
	 ${r"${mapi}"} \
	 ${r"${pg}"} \
	 ${r"${cassandra}"} \
	 ${r"${node}"} \
	 ${r"${webserver}"} \
	 ${r"${eas}"} \
	 ${r"${core}"} \
	 ${r"${tika}"} \
	 ${r"${influxdb}"} \
	 ${r"${chronograph}"} \
	 ${r"${kapacitor}"} \
	 ${r"${es}"} \
	 ${r"${memcache}"} \
	 ${r"${keycloak_mgmt}"} \
	 ${r"${keycloak}"} \
	 ${r"${keydb}"}"

bmHosts="${bmHostsAddresses?join(" ")}"
bmHostChain="bmhosts"
bmPortChain="bmports"

cmd_iptables() {
    iptables ${r"${iptables_timeout}"} ${r"${*}"}

    [ ${r"${IP6TABLES}"} ] && {
        ip6tables ${r"${iptables_timeout}"} ${r"${*}"}
    }
}

stop_bm-iptables() {
	echo -n "Removing BM iptables rules..."
	
	cmd_iptables -L -v -n|grep ${r"${bmPortChain}"} 2>&1 > /dev/null
	alreadyLoaded=$?
	
	if [ ${r"${alreadyLoaded}"} -eq 0 ]; then
	        # Flushing BlueMind rules
	        cmd_iptables -D INPUT -j ${r"${bmHostChain}"}
	
	        cmd_iptables -F ${r"${bmHostChain}"}
	        cmd_iptables -F ${r"${bmPortChain}"}
	        cmd_iptables -X ${r"${bmHostChain}"}
	        cmd_iptables -X ${r"${bmPortChain}"}
	fi
	
	echo " done."
}

start_bm-iptables() {
	echo -n "Adding BM iptables rules..."

	# Fill filter
	cmd_iptables -N ${r"${bmPortChain}"}
	for bmPort in ${r"${bmPorts}"}; do
	        cmd_iptables -A ${r"${bmPortChain}"} -p tcp --dport ${r"${bmPort}"} -j DROP
	        cmd_iptables -A ${r"${bmPortChain}"} -p udp --dport ${r"${bmPort}"} -j DROP
	done
	cmd_iptables -A ${r"${bmPortChain}"} -j RETURN
	
	cmd_iptables -N ${r"${bmHostChain}"}
	cmd_iptables -A ${r"${bmHostChain}"} -i lo -j ACCEPT
	for bmHost in ${r"${bmHosts}"}; do
			# IPv4 only for now
	        iptables ${r"${iptables_timeout}"} -A ${r"${bmHostChain}"} -s ${r"${bmHost}"} -j ACCEPT
	done
	cmd_iptables -A ${r"${bmHostChain}"} -m state --state NEW -j ${r"${bmPortChain}"}
	
	cmd_iptables -I INPUT 1 -j ${r"${bmHostChain}"}
	
	echo " done."
}

case "$1" in
    start)
    	stop_bm-iptables
        start_bm-iptables
        ;;
    
    stop)
        stop_bm-iptables
        ;;
    restart)
        stop_bm-iptables
        start_bm-iptables
        ;;
esac

exit 0
