#!/bin/sh

### BEGIN INIT INFO
# Provides:        firewall
# Required-Start:  $network $syslog
# Required-Stop:   $network $syslog
# Default-Start:   2 3 4 5
# Default-Stop:    0 1 6
# Short-Description: firewall initscript
### END INIT INFO

#
#       this file has been changed when installing LRR software
#

ROOTACT=_REPLACEWITHROOTACT_
export ROOTACT

setting=$ROOTACT/lrr/com/system_setting.sh
if [ -f $setting ]; then
    . $setting
fi
_system_api_loaded 2> /dev/null || . "$ROOTACT/lrr/com/system_api.sh"

export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin

[ -f "$ROOTACT/usr/etc/lrr/_parameters.sh" ] && . $ROOTACT/usr/etc/lrr/_parameters.sh
_functions_loaded 2> /dev/null || . "${ROOTACT}/lrr/com/_functions.sh"

_load_conf_system
NFR920=$(_get_ini_var "suplog" "nfr920")

set_rules()
{

    # is ROOTACT accessible
    if [ -d "$ROOTACT" ]; then
        LOG="$ROOTACT/var/log/lrr/iptablesfrom.log"

	    itfile1="$ROOTACT/usr/etc/lrr/iptables.sh"
	    if [ "$NFR920" = "1" ]
	    then
            SystemGetFilePath "$ROOTACT/lrr/failovermgr" "iptables.sh"
            itfile2=$sysfilepath
	    else
            SystemGetFilePath "$ROOTACT/lrr/com/shells" "iptables.sh"
		    itfile2=$sysfilepath
	    fi

	    if [ -f "$itfile1" ]
	    then
		    echo "$itfile1" > $LOG
		    sh "$itfile1"
		    return
	    fi
	    if [ -f "$itfile2" ]
	    then
		    echo "$itfile2" > $LOG
		    sh "$itfile2"
		    return
	    fi
	    echo /etc/init.d/firewall > $LOG
    fi

    # ---> ipV4

    #DROP everything in INPUT (Let everything going out)
    iptables -P INPUT DROP

    #Allow everything on localhost interface
    iptables -A INPUT -i lo -j ACCEPT

    #Allow DHCP protocol on all interfaces
    #iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

    #Allow ICMP output (ping requests) on all interfaces
    iptables -A INPUT -p icmp --source 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -p icmp --source 10.10.0.0/16 -j ACCEPT

    #allow DNS requests
    #iptables -A INPUT -p udp --sport 53 -j ACCEPT
    #iptables -A INPUT -p tcp --sport 53 -j ACCEPT

    #allow NTP
    #iptables -A INPUT -p udp --dport 123 --sport 123 -j ACCEPT

    iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 --source 10.10.0.0/16 -j ACCEPT

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    if [ "$ipv6" = "n"  ]; then
        return
    fi

    #DROP everything in INPUT (Let everything going out)
    ip6tables -P INPUT DROP

     #Allow everything on localhost interface
    ip6tables -A INPUT -i lo -j ACCEPT

    #Allow DHCP protocol on all interfaces
    #ip6tables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

    #Allow ICMP output (ping requests) on all interfaces
    ip6tables -A INPUT -p icmp --source fc00::/7 -j ACCEPT

    #allow DNS requests
    #ip6tables -A INPUT -p udp --sport 53 -j ACCEPT
    #ip6tables -A INPUT -p tcp --sport 53 -j ACCEPT

    #allow NTP
    #ip6tables -A INPUT -p udp --dport 123 --sport 123 -j ACCEPT

    ip6tables -A INPUT -p tcp --dport 22 --source fc00::/7 -j ACCEPT

    ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
}

remove_rules()
{
    # Flush Rules
    iptables -F INPUT
    iptables -F OUTPUT

    # Change default Policy
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT

    if [ "ipv6" = "n" ]; then
        return
    fi

    # Flush Rules
    ip6tables -F INPUT
    ip6tables -F OUTPUT

    # Change default Policy
    ip6tables -P INPUT ACCEPT
    ip6tables -P OUTPUT ACCEPT
}

# Main script
ipv6=n
type ip6tables > /dev/null 2>&1
ret=$?
if [ $ret -ne 0 ]; then
  ipv6=y
fi

case "$1" in
        start|restart)
                remove_rules
                set_rules
                ;;
        stop)
                remove_rules
                ;;
        *)
                echo "Usage: $0 {start|stop|restart}"
                exit 1
                ;;
esac

exit 0

