#!/bin/sh
# environment lte wmp specific system iptables file
# take a look into iptables for further help
# all proto's are ip

#**********************************************************************
# Project        : LTE FSMr3
# Component name : IPTABLES script File
# Filename       : iptables_system_ltwmp
# Generated by   : Vishwanatha R / Kishan K
# Created        : Fri Apr 29 02:00:04 2011
# Description    : Implementation iptables_system_ltwmp script file.
# Revision history (major events only -- see ClearCase comments for details):
# Copyright (c) Nokia 2009 All rights reserved
# Licensed Material - Property of Nokia Networks
#**********************************************************************

. `dirname "$0"`/iptables_system_util

stop_system()
{
    $IPTABLES -P INPUT   ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -P OUTPUT  ACCEPT

    $IPTABLES -F                                # flush all the rules
    $IPTABLES -Z                                # reset all counters
    $IPTABLES -X                                # remove all user defined chains
    $IPTABLES -t mangle -F PREROUTING
    $IPTABLES -t mangle -Z PREROUTING
    $IPTABLES -t mangle -F IP_SPOOF_CHECK_SRC
    $IPTABLES -t mangle -X IP_SPOOF_CHECK_SRC
    $IPTABLES -t mangle -Z IP_SPOOF_CHECK_SRC
    $IPTABLES -t mangle -F IP_SPOOF_CHECK_DST
    $IPTABLES -t mangle -X IP_SPOOF_CHECK_DST
    $IPTABLES -t mangle -Z IP_SPOOF_CHECK_DST

# Temporary check to avoid error messages on console (-t nat currently not available in ip6tables)
# -> remove check when the NAT below is also required (and supported) in IPv6 case

if [ "$IPVERSION" = "4" ]; then

    $IPTABLES -t nat -F PREROUTING              # flush NAT Rules
    $IPTABLES -t nat -Z PREROUTING

    $IPTABLES -t nat -F POSTROUTING             # flush NAT Rules
    $IPTABLES -t nat -Z POSTROUTING

fi # end temporary check

}

# Do not add iptables Rules here. It will increase the iptables restart time.
start_system()
{
    check_init_fwcfg_env

     # to allow communication between master and slave boards 
     $IPTABLES -A INPUT -i eth4 -j ACCEPT
     # enable 16009 CC&S Syscom traffic Intra-Zone  
     if [ -e "/tmp/isFZAP" ]; then
         $IPTABLES -A INPUT -p udp --dport 16009 -j ACCEPT
     else
         $IPTABLES -A INPUT -p udp --dport 16009 -j DROP
     fi

    if [ -e "/tmp/iptables_addresses.conf" ]; then
        /opt/trs/bin/test_envInfo envInfoIfTRS > /dev/null
        EPORT=eth$?+
        ETHIF=br0

#        UNIT_FQGA=17
#        UNIT_FQBA=18
        # For FlexiLight we use eth2 as first transport interface.
#        /opt/trs/bin/test_envInfo envInfoUnitType > /dev/null
#        UNIT=$?
#        if [ "x$UNIT" = "x$UNIT_FQBA" -o "x$UNIT" = "x$UNIT_FQGA" ]; then
#            ETHIF=eth2+
#        else
#            ETHIF=eth3+
#        fi

        # Added this line to Accept IGMP Query Message on bridge interface to support eMBMS Feature 
        $IPTABLES -t mangle -I PREROUTING -i br0+ -d 224/4 -p igmp -j ACCEPT
        $IPTABLES -t mangle -I PREROUTING -i br0+ -d 224/4 -p udp -j ACCEPT

        echo "iptables_system_ltwmp: use $EPORT for TRS port"

        if [ -n "$IP_FTM_BTS_SUBNET_ADR" ]; then
            $IPTABLES -t mangle -A PREROUTING -d $IP_FTM_BTS_SUBNET_ADR/$FTM_BTS_SUBNET_MASK -j ACCEPT
        fi

# Temporary check to avoid error messages on console (-m addrtype currently not available in ip6tables)
        $IPTABLES -t mangle -A PREROUTING -i br0+ -m mark  --mark 2 -j ACCEPT #Marking packets for ipv4 multicast packets in case of L2Switching.

        $IPTABLES -t mangle -A PREROUTING -i ${ETHIF}+ -m addrtype ! --dst-type LOCAL -j DROP  # Early drop of packets not destined to trs: For perfCounters

        if [ "$IPVERSION" = "6" ]; then
             $IPTABLES -t mangle -I PREROUTING -i ${ETHIF}+ -s ff00::/9 -j DROP
             $IPTABLES -t mangle -I PREROUTING -i ${ETHIF}+ -d ff00::/9 -j ACCEPT

        fi

        configure_rnd_ports_service
# WORKAROUND_TMO :: Final fix will be provided from BM til then will keep this
        if [ "$NTP_SYNC_AS_REF" = "1" ]; then
            echo "-I POSTROUTING 1 -o br0+ -p udp --dport 123 -j SNAT --to-source :30001-30010" >> $IPTABLES_FILE_TNAT
# WORKAROUND_TMO_END
        fi
        #Transport support for trace data
        $IPTABLES -A INPUT -p esp -j ACCEPT
    fi

     # Firewall rules
    configure_RmAdapter_rules

     # Xoh BTS_OAM and Standalone TRS Mgr port handling
    configure_BTSOAM_TRSMGR_ports

    if [ "$IPVERSION" = "4" ]; then
        #Prevent spoofing for IPv4
        configure_spoofing_rules_trs
        configure_spoofing_rules_lmp
    fi

    # Configure Rate Limiting Rules
    configure_rate_limiting_rules

    # Configure Catch all rule
    configure_catch_all_rule
    # Configure SoE rule
    BTSOM_SIMULATED="false"
    if [ -e "/ffs/run/trs_data/sim/start_script.conf" ]; then
        BTSOM_SIMULATED=`cat /ffs/run/trs_data/sim/start_script.conf | grep BTSOM_SIMULATED | cut -d'=' -f2` >/dev/null
    fi
    if [ $BTSOM_SIMULATED != "y" ] && [ $BTSOM_SIMULATED != "Y" ] && [ $BTSOM_SIMULATED != "Yes" ] && [ $BTSOM_SIMULATED != "yes" ]; then
        configure_ethSec_rule
    fi

    # Apply firewall rules generated by iptables_sytem_util functions
    apply_fwcfg_settings

    # User defined Rules
    # Be careful while using "iptables_exit" (duplicating code). This can exit
    # iptables skipping full execution.
    tryinclude /tmp/iptables_user_ltwmp.script      # This_is_a_Hack_Please_DoNot_Remove
    if [ $? -eq 1 ]; then
        set_user_rules
    fi

    #Below rules is meant only for standalone mode.
    tryinclude /tmp/iptables_test_loopback.script   # This_is_a_Hack_Please_DoNot_Remove
    if [ $? -eq 1 ]; then
        set_sctp_loopback_rules
    fi

    tryinclude /ffs/run/trs_data/sim/SCTP_TEST_ENABLE
    if [ $? -eq 1 ]; then
        $IPTABLES -t mangle -I PREROUTING 1 -i ${ETHIF}+ -p sctp -j MARK --set-mark 100
        $IPTABLES -t mangle -I PREROUTING 2 -i ${ETHIF}+ -p sctp -j ACCEPT

# Temporary check to avoid error messages on console (-m addrtype currently not available in ip6tables)

        $IPTABLES -t mangle -D PREROUTING -i ${ETHIF}+ -m addrtype ! --dst-type LOCAL -j DROP


        $IPTABLES -A FORWARD -p sctp -j ACCEPT
    fi

    $IPTABLES  -A FORWARD  -m mark  --mark 2 -j ACCEPT

   #DNS

   if [ "$IPVERSION" = "4" ]; then
   if [ "x$IP_DNS_SERVER1" != "x" ] ; then
      if [ "x$IP_MPLANE" != "x" ]; then
	  $IPTABLES -A POSTROUTING -t nat -d $IP_DNS_SERVER1 -p udp --dport 53 -j SNAT --to-source $IP_MPLANE
      fi

      $IPTABLES -A INPUT -s $IP_DNS_SERVER1 -p udp --sport 53 -j ACCEPT
      $IPTABLES -A INPUT -s $IP_DNS_SERVER1 -p tcp --sport 53 -j ACCEPT

      if [ "x$IP_DNS_SERVER2" != "x" ]; then
	   if [ "x$IP_MPLANE" != "x" ]; then
	       $IPTABLES -A POSTROUTING -t nat -d $IP_DNS_SERVER2 -p udp --dport 53 -j SNAT --to-source $IP_MPLANE
	   fi

	   $IPTABLES -A INPUT -s $IP_DNS_SERVER2 -p udp --sport 53 -j ACCEPT
	   $IPTABLES -A INPUT -s $IP_DNS_SERVER2 -p tcp --sport 53 -j ACCEPT
      fi
    fi
    fi

    if [ "$IPVERSION" = "4" ]; then
    #DROP PACKETS WITH IP OPTIONS
    $IPTABLES -I INPUT 1 -m u32 --u32 "0&0x0F000000=0x06000000:0x0F000000" ! -p igmp -j DROP
    fi
 }

status_system()
{
    echo "======================================================================"
    echo "                       filter - table"
    echo "======================================================================"
    $IPTABLES -v -n -L
}
