#!/bin/sh
#
# Usage: createipfchains.sh
#
# script to enforce iptable rules
# follow these steps. 
# 1. First get the Active, Standby CP status

# Determine the system platform identifier.
SWBD=`/sbin/sin | /bin/sed -n -e 's/^.\+\(SWBD\)\([[:digit:]]\{1,\}\).\+$/\2/gp' 2> /dev/null`

limit_module_unsupported_platform()
{
	if [ $SWBD = 148 ] || [ $SWBD = 171 ] || [ $SWBD = 178 ] || [ $SWBD = 156 ] || [ $SWBD = 141 ] || [ $SWBD = 142 ]; then
		return 1
	else
		return 0
	fi
}
echo_debug()
{
	if [ "$debug_on" = "1" ]; then
    	echo $* 1>&2
	fi
}

iptab_create_default_rules()
{
    # ordering of rules is important, do not change arbitrarily

    ## TCP common rules
    echo "$IPTABLES -A $R_TCP -p $PROTO_TCP -m $PROTO_TCP --dport 1024: -j ACCEPT" >> $RULE_FILE
    #echo "$IPTABLES -A $R_TCP -p $PROTO_TCP -m $PROTO_TCP --dport 49152: -j ACCEPT" >> $RULE_FILE

    # UDP common rules
    # Never delete the ntp rule   
    echo "$IPTABLES -A $R_UDP -p $PROTO_UDP -m $PROTO_UDP --dport 1024: -j ACCEPT" >> $RULE_FILE
    #echo "$IPTABLES -A $R_UDP -p $PROTO_UDP -m $PROTO_UDP --dport 49152: -j ACCEPT" >> $RULE_FILE

}

iptab_create_generic_rules()
{
	# Create tcp/udp rules for ports other than specified in policies
	echo "$IPTABLES -A $R_TCP -p tcp -j $R_TCP" >> $RULE_FILE
	echo "$IPTABLES -A $R_UDP -p udp -j $R_UDP" >> $RULE_FILE
}

iptab_create_policy_rules()
{
	
	echo_debug
	echo_debug "debug: entering iptab_create_policy_rules"
	echo_debug

	POLICYFILE=$1
	echo_debug "debug: policyfile=$POLICYFILE"
	LIMIT_RATE=20/minute
	BURST_RATE=20

	# check if text policy file exists. If not, exit.
	if [ ! -f $POLICYFILE ]; then
		exit 1
	fi

	OLD_IFS=$IFS
	# make the separator as newline
	IFS='
'
	for line in `cat $POLICYFILE`
	do      
	# get flow
		FLOW=${line%% *}
		echo_debug "debug flow: $FLOW"
		rem_line=${line#${FLOW} }
		echo_debug "debug: rem_line=$rem_line"

	# get Protocol
		PROTO=${rem_line%% *}
		echo_debug "debug proto: $PROTO"

		rem_line=${rem_line#${PROTO} }

		echo_debug "debug: rem_line=$rem_line"

	# get Destination IP
		DIPADDR=${rem_line%% *}
		if [ $(echo $DIPADDR | grep [-]) ]; then
			temp1=`echo $DIPADDR | cut -d- -f 1`
			temp2=`echo $DIPADDR | cut -d- -f 2`
			PORT=`echo $temp1":"$temp2`
			echo_debug "debug port: $PORT"
			rem_line=${rem_line#${DIPADDR} }
			echo_debug "debug: rem_line=$rem_line"
			DIPADDR=""
		elif valid_ip ${DIPADDR} || [ $(echo $DIPADDR | grep [:]) ]; then
			echo_debug "debug Destination IP: $DIPADDR"		
			rem_line=${rem_line#${DIPADDR} }
			echo_debug "debug: rem_line=$rem_line"
			
			# get Port number
			TEMP=${rem_line%% *}
			if [ $(echo $TEMP | grep [-]) ]; then
				temp1=`echo $TEMP | cut -d- -f 1`
				temp2=`echo $TEMP | cut -d- -f 2`
				PORT=`echo $temp1":"$temp2`
				echo_debug "debug port2: $PORT"
				rem_line=${rem_line#${TEMP}}
				echo_debug "debug: rem_line=$rem_line"
			else
				PORT=${TEMP}
				echo_debug "debug port: $TEMP"
				rem_line=${rem_line#${TEMP}}
				echo_debug "debug: rem_line=$rem_line"
			fi
		else 
			# get Port number
			PORT=${DIPADDR}
			echo_debug "debug port: $PORT"
			rem_line=${rem_line#${PORT}}
			echo_debug "debug: rem_line=$rem_line"
			DIPADDR=""
		fi

		case "$PORT" in
			22)
		    	RULE=$R_SSH
		    	PROTOCHAIN=$R_TCP
				VIOLATED_APP="SSH"
		# check PROTOCHAIN and set the values.
		echo "$IPTABLES -A $PROTOCHAIN -p $PROTO -m $PROTO --dport $PORT -j $RULE" >> $RULE_FILE
		    	;;

			23)
		    	RULE=$R_TELNET
		    	PROTOCHAIN=$R_TCP
				VIOLATED_APP="TELNET"
		# check PROTOCHAIN and set the values.
		echo "$IPTABLES -A $PROTOCHAIN -p $PROTO -m $PROTO --dport $PORT -j $RULE" >> $RULE_FILE
		    	;;

	# add ports for API in future if new API comes up

			*) 
				if [ "$PROTO"  = "tcp" ]; then
		    		RULE=$R_TCP
				    VIOLATED_APP="TCP"
				else    
		    		RULE=$R_UDP
				    VIOLATED_APP="UDP"
				fi
				;; 
		esac # end of case


		
		IFS=' '

		SIPADDR=""
			for ARG in $rem_line
			do
				if [ "$FLOW" = "INPUT" ]; then
					if [ "$ARG" = "DROP" ]; then
						if [ "$SIPADDR" == "" ] && [ "$DIPADDR" == "" ]; then
							if [ "$POLICY_TYPE" = "v4" ]; then
									echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT \
	            	   		 				-m limit --limit $LIMIT_RATE --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
											"\"$VIOLATED_APP port $PORT\"" --ulog-cprange 20 \
									--ulog-nlgroup $NLGROUP" >> $RULE_FILE
							fi
							echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -j DROP" >> $RULE_FILE
							break	
						elif [ "$DIPADDR" == "" ]; then
							if [ "$POLICY_TYPE" = "v4" ]; then
									echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $SIPADDR \
									-m limit --limit $LIMIT_RATE  --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
									"\"$VIOLATED_APP port $PORT\"" --ulog-cprange 20 \
									--ulog-nlgroup $NLGROUP" >> $RULE_FILE
							fi
							echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $SIPADDR -j DROP" >> $RULE_FILE
							break
						elif [ "$SIPADDR" == "" ]; then
							if [ "$POLICY_TYPE" = "v4" ]; then
									echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -d $DIPADDR \
									-m limit --limit $LIMIT_RATE  --limit-burst	$BURST_RATE -j ULOG --ulog-prefix \
									"\"$VIOLATED_APP port $PORT\"" --ulog-cprange 20 \
									--ulog-nlgroup $NLGROUP" >> $RULE_FILE
							fi
							echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -d $DIPADDR -j DROP" >> $RULE_FILE
						else
							if [ "$POLICY_TYPE" = "v4" ]; then
									echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $SIPADDR -d $DIPADDR \
									-m limit --limit $LIMIT_RATE  --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
									"\"$VIOLATED_APP port $PORT\"" --ulog-cprange 20 \
									--ulog-nlgroup $NLGROUP" >> $RULE_FILE
							fi
							echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $SIPADDR \
								-d $DIPADDR -j DROP" >> $RULE_FILE
						fi
					elif [ "$ARG" = "ACCEPT" ]; then
						if [ "$SIPADDR" == "" ] && [ "$DIPADDR" == "" ]; then
							echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -j ACCEPT" >> $RULE_FILE
							break
						elif [ "$DIPADDR" == "" ]; then
							echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $SIPADDR -j ACCEPT" >> $RULE_FILE
							break
						elif [ "$SIPADDR" == "" ]; then
							echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -d $DIPADDR -j ACCEPT" >> $RULE_FILE
							break
						else
							echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $SIPADDR \
								-d $DIPADDR -j ACCEPT" >> $RULE_FILE
						fi
					else
						SIPADDR=$ARG
					fi
				elif [ "$FLOW" = "FWD" ]; then
					if [ "$ARG" = "DROP" ]; then
						if [ "$SIPADDR" == "" ] && [ "$DIPADDR" == "" ]; then
							if [ "$POLICY_TYPE" = "v4" ]; then
									echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT \
									-m limit --limit $LIMIT_RATE  --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
									"\"FORWARD port $PORT\"" --ulog-cprange 20 \
									--ulog-nlgroup $NLGROUP" >> $RULE_FILE
							fi
							echo "$IPTABLES -A FORWARD -i $INET_IFACE -o $INTERNAL_IFACE_INBD -j DROP" >> $RULE_FILE
							break	
						elif [ "$SIPADDR" == "" ]; then
							if [ "$POLICY_TYPE" = "v4" ]; then
									echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -d $DIPADDR \
									-m limit --limit $LIMIT_RATE  --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
									"\"FORWARD port $PORT\"" --ulog-cprange 20 \
									--ulog-nlgroup $NLGROUP" >> $RULE_FILE
							fi
							echo "$IPTABLES -A FORWARD -i $INET_IFACE -o $INTERNAL_IFACE_INBD -d $DIPADDR \
								-j DROP" >> $RULE_FILE
							break
						elif [ "$DIPADDR" == "" ]; then
							if [ "$POLICY_TYPE" = "v4" ]; then
									echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $SIPADDR \
									-m limit --limit $LIMIT_RATE  --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
									"\"FORWARD port $PORT\"" --ulog-cprange 20 \
									--ulog-nlgroup $NLGROUP" >> $RULE_FILE
							fi
							echo "$IPTABLES -A FORWARD -i $INET_IFACE -o $INTERNAL_IFACE_INBD -s $SIPADDR \
								-j DROP" >> $RULE_FILE
						else
							if [ "$POLICY_TYPE" = "v4" ]; then
									echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $SIPADDR -d $DIPADDR \
									-m limit --limit $LIMIT_RATE  --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
									"\"FORWARD port $PORT\"" --ulog-cprange 20 \
									--ulog-nlgroup $NLGROUP" >> $RULE_FILE
							fi
							echo "$IPTABLES -A FORWARD -i $INET_IFACE -o $INTERNAL_IFACE_INBD -s $SIPADDR \
								-d $DIPADDR -j DROP" >> $RULE_FILE
						fi
					elif [ "$ARG" = "ACCEPT" ]; then
						if [ "$SIPADDR" == "" ] && [ "$DIPADDR" == "" ]; then
							echo "$IPTABLES -A FORWARD -i $INET_IFACE -o $INTERNAL_IFACE_INBD -j ACCEPT" >> $RULE_FILE
							echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE_INBD -o $INET_IFACE -j ACCEPT" >> $RULE_FILE
						elif [ "$SIPADDR" == "" ]; then
							echo "$IPTABLES -A FORWARD -i $INET_IFACE -o $INTERNAL_IFACE_INBD \
								-d $DIPADDR -j ACCEPT" >> $RULE_FILE
							echo "$IPTABLES -A FORWARD -s $DIPADDR -i $INTERNAL_IFACE_INBD -o $INET_IFACE \
								-j ACCEPT" >> $RULE_FILE
							break
						elif [ "$DIPADDR" == "" ]; then
							echo "$IPTABLES -A FORWARD -s $SIPADDR -i $INET_IFACE -o $INTERNAL_IFACE_INBD \
								-j ACCEPT" >> $RULE_FILE
							echo "$IPTABLES -A FORWARD -i $INET_IFACE -o $INTERNAL_IFACE_INBD \
								-d $SIPADDR -j ACCEPT" >> $RULE_FILE
						else
							echo "$IPTABLES -A FORWARD -s $SIPADDR -i $INET_IFACE -o $INTERNAL_IFACE_INBD \
								-d $DIPADDR -j ACCEPT" >> $RULE_FILE
							echo "$IPTABLES -A FORWARD -s $DIPADDR -i $INTERNAL_IFACE_INBD -o $INET_IFACE \
								-d $SIPADDR -j ACCEPT" >> $RULE_FILE
						fi
						echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -j ACCEPT" >> $RULE_FILE
					else
						SIPADDR=$ARG
					fi
				fi
			done #inner for loop
        IFS='
'
	done   # for

	IFS=$OLD_IFS

	echo_debug
	echo_debug "debug: exiting iptab_create_policy_rules"
	echo_debug
} # iptab_create_policy_rules

#////////////////////////////////////////
########################################
# This is the start of this script
########################################
#////////////////////////////////////////


export POLICY_TYPE=$1;

export NLGROUP=1


POLICYFILE="/etc/fabos/ipfpolicy."$POLICY_TYPE"."$CPSTATE".txt"

echo_debug "debug createrules time"


#iptab_create_default_rules ;

iptab_create_policy_rules $POLICYFILE ;

#iptab_create_generic_rules ;

iptab_create_default_rules ;
exit 0
