#**********************************************************************
# Project        : LTE FSMr3
# Component name : IPTABLES script File
# Filename       : iptables_system_util
# Generated by   : Klietz J
# Created        : Fri Jul 27 10:00:00 2012
# Description    : Implementation iptables_system_util script file.
# Revision history (major events only -- see svn comments for details):
# Copyright (c) Nokia 2012 All rights reserved
# Licensed Material - Property of Nokia Networks
#**********************************************************************
#
# Usage:
#   1 .... check_init_fwcfg_env
#   2a ... configure_rnd_ports_service (optional)
#   2b ... configure_trace_data_support (optional)
#   2c ... configure_BTSOAM_TRSMGR_ports (optional)
#   3 .... apply_fwcfg_settings
#
#**********************************************************************

# Init script information
TRS_DATA="/ffs/run/trs_data"
TRS_SIM_DEST="${TRS_DATA}/sim"
INIT_NAME="start_script.conf"

#. /ffs/run/trs_data/sim/start_script.conf
[ -f "${TRS_SIM_DEST}/${INIT_NAME}" ] && . "${TRS_SIM_DEST}/${INIT_NAME}"


ENABLE_SSH=/tmp/ssh_enabled
TRS_RND_FLAG_CHK_FILE=/tmp/trs_rnd_flag
WEB_SSH_OP=/tmp/web_ssh_op
WEB_RND_OP=/tmp/web_gui_rnd
ETHIF=br0

EPORT_LMP=""            # LMP port
UNIT_TYPE=""            # unit type
RND_PORTS_SERVICE=0     # RND service ports status
APPDEF_TXT_PRESENT=0    # AppDef.txt available
BTSOM_EXEC_PRESENT=0    # BTSOM executable present
BTSOM_EXEC_ACT=0        # BTSOM executable activated

#
## Firewall ruleset generated by RmAdapter
##
IPTABLES_FILE_RMADAPTER="/tmp/iptables_firewall_rules"              # fw rs1: summary of all filter rules for IPv4
IPTABLES_FILE_RMADAPTER_IPV6="/tmp/iptables_firewall_rules_ipv6"    # fw rs1: summary of all filter rules for IPv6


IPTABLES_FILE_TNAT="/tmp/iptables_firewall_tnat"        # fw rs2: -t nat
IPTABLES_FILE_TFILTER="/tmp/iptables_firewall_tfilter"  # fw rs2: filter rules
IPTABLES_FILE_TMANGLE="/tmp/iptables_firewall_tmangle"  # fw rs2: -t mangle
IPTABLES_FILE_RS2="/tmp/iptables_firewall_rs2"          # fw rs2: summary of all new filter rules for rs2
IPTABLES_FILE_RS2_IPV6="/tmp/iptables_firewall_rs2v6"               # fw rs2: summary of all new filter rules for rs2 / IPv6

init_fwcfg_env()
{
    EPORT_LMP=""            # LMP port
    UNIT_TYPE=""            # unit type
    ETHSEC_ENABLE=1         # EPSec:      enabled:   1, disabled: 0, default: 1
    RND_PORTS_SERVICE=0     # RND ports   enabled:   1, disabled: 0, default: 0
    APPDEF_TXT_PRESENT=0    # AppDef.txt  available: 1, n.a.:     0, default: 0
    BTSOM_EXEC_PRESENT=0    # BTSOM exec. present:   1, n.a.:     0, default: 0
    BTSOM_EXEC_ACT=0        # BTSOM exec. activated: 1, not act.: 0, default: 0
}

init_fwcfg_rs2()
{
    echo "*filter" > $IPTABLES_FILE_TFILTER
    echo "*nat"    > $IPTABLES_FILE_TNAT
    echo "*mangle" > $IPTABLES_FILE_TMANGLE
}

init_trs_ip_env()
{
    FCT_SYS_IP=192.168.255.1
    if [ -e /tmp/lmp_addr.conf ]; then
        FCT_SYS_IP=`grep FCT_SYS_IP /tmp/lmp_addr.conf |awk -F"=" '{print $2}'`
    fi
    MASTEROM_IP=192.168.255.16
    if [ -e /tmp/lmp_addr.conf ]; then
        MASTEROM_IP=`grep MASTEROM_IP /tmp/lmp_addr.conf |awk -F"=" '{print $2}'`
    fi
}

check_init_fwcfg_env()
{
    init_fwcfg_env

    init_fwcfg_rs2

    init_trs_ip_env

    UNIT_TYPE=`/opt/trs/bin/test_envInfo envInfoUnitTypeIsFzm | grep UNIT` >/dev/null

    if [ "UNIT_FZM" = "$UNIT_TYPE" ]; then

        /opt/trs/bin/test_envInfo envInfoIfLMP > /dev/null
        EPORT_LMP=eth$?

        if [ -e "/tmp/iptables_ports_service.conf" ]; then
            RND_PORTS_SERVICE=`cat /tmp/iptables_ports_service.conf | grep RND_PORTS_SERVICE | sed 's/RND_PORTS_SERVICE=\([0-1]\)/\1/'` >/dev/null
        else
            RND_PORTS_SERVICE=0
        fi

        if [ -e "/tmp/iptables_addresses.conf" ]; then
            ETHSEC_ENABLE=`cat /tmp/iptables_addresses.conf | grep ETHSEC_ENABLE | sed 's/ETHSEC_ENABLE=\([0-1]\)/\1/'` >/dev/null
        else
            ETHSEC_ENABLE=1
        fi
    fi

    if [ -e "/tmp/AppDef.txt" ]; then
        APPDEF_TXT_PRESENT=1

        BTSOM_APP_ENTRY=`cat /tmp/AppDef.txt | grep CELLP` >/dev/null

        if [ -n "$BTSOM_APP_ENTRY" ]; then
            BTSOM_EXEC_PATH=`echo $BTSOM_APP_ENTRY | cut -d';' -f2` >/dev/null

            if [ -n "$BTSOM_EXEC_PATH" ]; then
                if [ -e "$BTSOM_EXEC_PATH" ]; then
                    BTSOM_EXEC_PRESENT=1

                    if [ `echo $BTSOM_APP_ENTRY | cut -d';' -f1` = 'CELLP' ]; then
                        BTSOM_EXEC_ACT=1
                    fi
                fi
            fi
        fi
    fi
}

#
# Precondition: call check_init_fwcfg_env before configure_rnd_ports_service
#
configure_rnd_ports_service()
{
    if [ "UNIT_FZM" = "$UNIT_TYPE" ] && [ "eth1" = "$EPORT_LMP" ]; then
   	    if [ $ETHSEC_ENABLE = 1 ]; then
            echo "-I INPUT 1 -p tcp -m multiport --dport 15001:15005,15007 -j DROP" >> $IPTABLES_FILE_TFILTER
        else
            if [ -e "$WEB_RND_OP" ]; then
                if [ $RND_PORTS_SERVICE = 1 ]; then
                    echo "-A INPUT -p tcp -m multiport --dport 15001:15005,15007 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
                else
                    echo "-I INPUT 1 -p tcp -m multiport --dport 15001:15005,15007 -j DROP" >> $IPTABLES_FILE_TFILTER
                fi
            else
                if [ -f $TRS_RND_FLAG_CHK_FILE ]; then
                    echo "-A INPUT -p tcp -m multiport --dport 15001:15005,15007 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
                else
                    echo "-I INPUT 1 -p tcp -m multiport --dport 15001:15005,15007 -j DROP" >> $IPTABLES_FILE_TFILTER
		        fi
            fi
	    fi

        if [ $RND_PORTS_SERVICE -eq 1 ]; then
            echo "-A MP_TRAFFIC -p tcp -m multiport --dport 15001:15005,15007 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
            echo "-A OUTPUT -p tcp -m multiport --sport 15001:15005,15007 -j CHAIN_MPLANE" >> $IPTABLES_FILE_TMANGLE
        else
            echo "-A MP_TRAFFIC -p tcp -m multiport --dport 15001:15005,15007 -j DROP" >> $IPTABLES_FILE_TFILTER
        fi
    fi
}


#This is called only when SoE is enabled
configure_spoofing_rules_lmp()
{

    if [ $ETHSEC_ENABLE = 1 ] ; then
#IP_OUT_SPOOF_CHECK_SRC, IP_OUT_SPOOF_CHECK_DST, IP_SPOOF_CHECK_SRC & IP_SPOOF_CHECK_DST already created in configure_spoofing_rules_trs

#Add spoofing chains to Filter-OUTPUT
        echo "-I OUTPUT 3 -o eth1+ -s 192.168.255.0/24 -j IP_OUT_SPOOF_CHECK_SRC"  >> $IPTABLES_FILE_TFILTER
            echo "-I OUTPUT 4 -o eth1+ -d 192.168.255.0/24 -j IP_OUT_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TFILTER

#Add spoofing chains to Mangle-PREROUTING
            echo "-I PREROUTING 1 -i eth1+ -d 192.168.254.0/24 -j IP_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TMANGLE
            echo "-I PREROUTING 2 -i eth1+ -s 192.168.254.0/24 -j IP_SPOOF_CHECK_SRC" >> $IPTABLES_FILE_TMANGLE

#Add exceptions for SoE related peer IPs
            echo "-I IP_SPOOF_CHECK_SRC 1 -i eth1+ -s 192.168.255.126 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE
            echo "-I IP_SPOOF_CHECK_SRC 2 -i eth1+ -s 192.168.255.130 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE

            echo "-I IP_SPOOF_CHECK_DST 1 -i eth1+ -d 192.168.255.129 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE

            echo "-I IP_OUT_SPOOF_CHECK_DST 1 -o eth1+ -d 192.168.255.126 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
            echo "-I IP_OUT_SPOOF_CHECK_DST 2 -o eth1+ -d 192.168.255.130 -j ACCEPT" >> $IPTABLES_FILE_TFILTER

            echo "-I IP_OUT_SPOOF_CHECK_SRC 1 -o eth1+ -s 192.168.255.129 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
            fi

}

#Make sure that configure_spoofing_rules_trs is called before configure_spoofing_rules_lmp as chains are re-used from configure_spoofing_rules_trs
configure_spoofing_rules_trs()
{
	#For Filter-OUTOUT chain - chains will be reused for LMP interface
	echo "-N IP_OUT_SPOOF_CHECK_SRC" >> $IPTABLES_FILE_TFILTER
	echo "-N IP_OUT_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TFILTER

	#For Mangle-PREROUTING chain - chains will be reused for LMP interface
	echo "-N IP_SPOOF_CHECK_SRC" >> $IPTABLES_FILE_TMANGLE
	echo "-N IP_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TMANGLE
		
	#Add spoofing chains to Filter-OUTPUT
	echo "-I OUTPUT 1 -o br0+ -s 192.168.255.0/24 -j IP_OUT_SPOOF_CHECK_SRC"  >> $IPTABLES_FILE_TFILTER
        echo "-I OUTPUT 2 -o br0+ -d 192.168.255.0/24 -j IP_OUT_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TFILTER
        
	#Add spoofing chains to Mangle-PREROUTING
        echo "-I PREROUTING 1 -i br0+ -s 192.168.255.0/24 -j IP_SPOOF_CHECK_SRC" >> $IPTABLES_FILE_TMANGLE
        echo "-I PREROUTING 2 -i br0+ -d 192.168.255.0/24 -j IP_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TMANGLE

        #IP_SPOOF_CHECK_SRC - START
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.1 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.3 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.5 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.16 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.33-192.168.255.35  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.39-192.168.255.41  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.45-192.168.255.47  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.52-192.168.255.59  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.64-192.168.255.92  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.96-192.168.255.103  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.125-192.168.255.131  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.141 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.151-192.168.255.159  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.161-192.168.255.169  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.171-192.168.255.179  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.181-192.168.255.189  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.191-192.168.255.199  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.201-192.168.255.209  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.211-192.168.255.219  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.221-192.168.255.229  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.231-192.168.255.239  -j DROP" >> $IPTABLES_FILE_TMANGLE
        #echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.241-192.168.255.246  -j DROP" >> $IPTABLES_FILE_TMANGLE
    	#IP_SPOOF_CHECK_SRC - END


        #IP_SPOOF_CHECK_DST - START
	if [ $RND_PORTS_SERVICE -eq 1 ] ; then
        #Filter
       	echo "-I IP_SPOOF_CHECK_DST 1  -m multiport -p tcp -d 192.168.255.1 --dport 15001:15006 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
        #Mangle
       	echo "-I IP_SPOOF_CHECK_DST 1  -m multiport -p tcp -d 192.168.255.1 --dport 15001:15006 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE
	fi
        
        echo "-I IP_SPOOF_CHECK_DST 1  -m multiport -p tcp -d 192.168.255.16 --dport 15010:15014 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE

        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.1 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.3 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.5 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.16 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.33-192.168.255.35  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.39-192.168.255.41  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.45-192.168.255.47  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.52-192.168.255.59  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.64-192.168.255.92  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.96-192.168.255.103  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.125-192.168.255.131  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.141 -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.151-192.168.255.159  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.161-192.168.255.169  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.171-192.168.255.179  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.181-192.168.255.189  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.191-192.168.255.199  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.201-192.168.255.209  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.211-192.168.255.219  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.221-192.168.255.229  -j DROP" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.231-192.168.255.239  -j DROP" >> $IPTABLES_FILE_TMANGLE
        #echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.241-192.168.255.246  -j DROP" >> $IPTABLES_FILE_TMANGLE
        #IP_SPOOF_CHECK_DST - END

	
    	#IP_OUT_SPOOF_CHECK_DST - START
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.1 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.3 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.5 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.16 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.33-192.168.255.35  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.39-192.168.255.41  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.45-192.168.255.47  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.52-192.168.255.59  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.64-192.168.255.92  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.96-192.168.255.103  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.125-192.168.255.131  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.141 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.151-192.168.255.159  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.161-192.168.255.169  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.171-192.168.255.179  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.181-192.168.255.189  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.191-192.168.255.199  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.201-192.168.255.209  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.211-192.168.255.219  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.221-192.168.255.229  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.231-192.168.255.239  -j DROP" >> $IPTABLES_FILE_TFILTER
        #echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.241-192.168.255.246  -j DROP" >> $IPTABLES_FILE_TFILTER
        #IP_OUT_SPOOF_CHECK_DST - END


        #IP_OUT_SPOOF_CHECK_SRC - START
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m multiport -p tcp --sport 15010:15014,389 -j ACCEPT"  >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m multiport -p udp --dport 53 -j ACCEPT"  >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m multiport -p udp --dport 53 -j ACCEPT"  >> $IPTABLES_FILE_TFILTER

        echo "-I IP_OUT_SPOOF_CHECK_SRC 1  -m multiport -p tcp -s 192.168.255.16 --dport 15010:15014 -j ACCEPT" >> $IPTABLES_FILE_TFILTER

        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.1 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.3 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.5 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.16 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.33-192.168.255.35  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.39-192.168.255.41  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.45-192.168.255.47  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.52-192.168.255.59  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.64-192.168.255.92  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.96-192.168.255.103  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.125-192.168.255.131  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.141 -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.151-192.168.255.159  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.161-192.168.255.169  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.171-192.168.255.179  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.181-192.168.255.189  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.191-192.168.255.199  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.201-192.168.255.209  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.211-192.168.255.219  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.221-192.168.255.229  -j DROP" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.231-192.168.255.239  -j DROP" >> $IPTABLES_FILE_TFILTER
        #echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.241-192.168.255.246  -j DROP" >> $IPTABLES_FILE_TFILTER
        #IP_OUT_SPOOF_CHECK_SRC - END
}

# Xoh BTS_OAM(12000), Standalone TRS Mgr(14000)
#
# Precondition: call check_init_fwcfg_env before configure_BTSOAM_TRSMGR_ports
#
configure_BTSOAM_TRSMGR_ports()
{
    if [ $APPDEF_TXT_PRESENT -eq 1 ] && [ $BTSOM_EXEC_PRESENT -eq 1 ] && [ $BTSOM_EXEC_ACT -eq 1 ]; then
	if [ -n "$IP_MPLANE" ]; then
	    echo "-A MP_TRAFFIC -p tcp --dport 12000 -m state --state NEW -j ACCEPT" >> $IPTABLES_FILE_TFILTER
	fi
    else
	if [ -n "$IP_MPLANE" ]; then
	    echo "-A MP_TRAFFIC -p tcp -m multiport --dport 14000 -m state --state NEW -j ACCEPT" >> $IPTABLES_FILE_TFILTER
	fi
	if [ $ETHSEC_ENABLE -ne 0 ]; then
	    echo "-I ETH_SECURITY_CHAIN 2 -p tcp --dport 14000 -m state --state NEW -j ACCEPT" >> $IPTABLES_FILE_TFILTER
	fi
    fi
}


configure_rate_limiting_rules()
{
    echo "-N RENEG_RULE" >> $IPTABLES_FILE_TFILTER

    # check for "encrypt handshake" message
    var1="0>>22&0x3C@12>>26&0x3C@0>>24&0xFF=22&&0>>22&0x3C@12>>26&0x3C@1&0xFFFF@2&0xFF=20"
    echo "-A RENEG_RULE -p tcp -m u32 --u32 $var1 -m connmark --mark 0x200/0x300 -j CONNMARK --set-mark 0x300/0x300" >> $IPTABLES_FILE_TFILTER

    # check for "client key exchange" message
    var2="0>>22&0x3C@12>>26&0x3C@2&0xFF=16"
    echo "-A RENEG_RULE -p tcp -m u32 --u32 $var2 -m connmark --mark 0x100/0x300 -j CONNMARK --set-mark 0x200/0x300" >> $IPTABLES_FILE_TFILTER
    
    # check for "client hello" message
    var3="0>>22&0x3C@12>>26&0x3C@2&0xFF=1"
    echo "-A RENEG_RULE -p tcp -m u32 --u32 $var3 -m connmark --mark 0x000/0x300 -j CONNMARK --set-mark 0x100/0x300" >> $IPTABLES_FILE_TFILTER
  
    # 9 tcp connection limit imposed to reject simultaneous connections above 9
    echo "-I INPUT 9 -p tcp --dport 443 -m connlimit --connlimit-above 9  -j REJECT --reject-with tcp-reset" >> $IPTABLES_FILE_TFILTER

    # Check for renegotiation and reject if required
    echo "-A RENEG_RULE -p tcp -m connmark --mark 0x300/0x300 -m u32 --u32 $var1 -m hashlimit --hashlimit-above 5/minute --hashlimit-burst 5 --hashlimit-mode srcip,srcport --hashlimit-name ssl-reneg -j REJECT --reject-with tcp-reset" >> $IPTABLES_FILE_TFILTER
    
    # check for TLS version
       var4="0>>22&0x3C@12>>26&0x3C@0>>8=0x160300:0x160303"

    if [ "$IPVERSION" = "4" ]; then
        if [ "x$BTSOM_SIMULATED" = "x" ]; then
        #field case
                echo "-I INPUT 1 -m hashlimit -m tcp -p tcp --dport 22 --hashlimit-above 300/minute --hashlimit-burst 350 --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j DROP" >> $IPTABLES_FILE_TFILTER
                echo "-I INPUT 2 -m hashlimit -m tcp -p tcp --dport 443 --hashlimit-above 300/minute --hashlimit-burst 350 --hashlimit-mode srcip --hashlimit-name https -m state --state NEW -j DROP" >> $IPTABLES_FILE_TFILTER
        else
        #simulation test case
                echo "-I INPUT 1 ! -i eth1 -m hashlimit -m tcp -p tcp --dport 22 --hashlimit-above 300/minute --hashlimit-burst 350 --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j DROP" >> $IPTABLES_FILE_TFILTER
                echo "-I INPUT 2 ! -i eth1 -m hashlimit -m tcp -p tcp --dport 443 --hashlimit-above 300/minute --hashlimit-burst 350 --hashlimit-mode srcip --hashlimit-name https -m state --state NEW -j DROP" >> $IPTABLES_FILE_TFILTER
        fi

        echo "-I INPUT 3 -i br0+ -p tcp -m multiport --dport 6001,14000,12000,3300,443  -m u32  --u32 $var4 -j RENEG_RULE " >> $IPTABLES_FILE_TFILTER

        echo "-I INPUT 4 -i eth1+ -p tcp -m multiport --dport 6001,14000,12000,3300,443  -m u32  --u32 $var4 -j RENEG_RULE " >> $IPTABLES_FILE_TFILTER

        echo "-I INPUT 6 -p ICMP -j INGRESS_ICMP" >> $IPTABLES_FILE_TFILTER
    else

        echo "-I INPUT 3 -p icmpv6 -j INGRESS_ICMP" >> $IPTABLES_FILE_TFILTER
    fi
}

configure_catch_all_rule()
{
    if [ "$IPVERSION" = "4" ]; then
        echo "-I INPUT 9 -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $IPTABLES_FILE_TFILTER
    else
        echo "-I INPUT 4 -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $IPTABLES_FILE_TFILTER
    fi
}

configure_ethSec_rule()
{
   if [ $ETHSEC_ENABLE -ne 0 ]; then
       if [ "$IPVERSION" = "4" ]; then
           echo "-I INPUT 9 -i eth1+ -j ETH_SECURITY_SRC" >> $IPTABLES_FILE_TFILTER
       else
           echo "-I INPUT 4 -i eth1+ -j ETH_SECURITY_SRC" >> $IPTABLES_FILE_TFILTER
       fi
   fi
}

#
# Apply firewall rules generated by the functions above.
#
apply_fwcfg_settings()
{

    if [ "$IPVERSION" = "6" ]; then
        echo "#Generated by iptables_system utility functions" > $IPTABLES_FILE_RS2_IPV6

        echo "COMMIT" >> $IPTABLES_FILE_TFILTER
        echo "COMMIT" >> $IPTABLES_FILE_TNAT
        echo "COMMIT" >> $IPTABLES_FILE_TMANGLE

        cat $IPTABLES_FILE_TFILTER >> $IPTABLES_FILE_RS2_IPV6

        # -t nat currently not available in ip6tables
        # -> activate when the NAT below is also required (and supported) in IPv6 case
        # cat $IPTABLES_FILE_TNAT    >> $IPTABLES_FILE_RS2_IPV6

        cat $IPTABLES_FILE_TMANGLE >> $IPTABLES_FILE_RS2_IPV6

        ip6tables-restore -n $IPTABLES_FILE_RS2_IPV6 2>/dev/null
    else


        echo "#Generated by iptables_system utility functions" > $IPTABLES_FILE_RS2

        echo "COMMIT" >> $IPTABLES_FILE_TFILTER
        echo "COMMIT" >> $IPTABLES_FILE_TNAT
        echo "COMMIT" >> $IPTABLES_FILE_TMANGLE

        cat $IPTABLES_FILE_TFILTER >> $IPTABLES_FILE_RS2


        cat $IPTABLES_FILE_TNAT    >> $IPTABLES_FILE_RS2

        cat $IPTABLES_FILE_TMANGLE >> $IPTABLES_FILE_RS2

        iptables-restore -n $IPTABLES_FILE_RS2 2>/dev/null
    fi
}

#
## Apply firewall rules generated by RmAdapter.
## Note: This function is called twice, once for IPv4 and a second time for IPv6.
##
configure_RmAdapter_rules()
{
    if [ "$IPVERSION" = "6" ]; then
        ip6tables-restore -n $IPTABLES_FILE_RMADAPTER_IPV6
    else
        iptables-restore -n $IPTABLES_FILE_RMADAPTER
    fi
}


ipv4regex="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"

is_ipv4_addr()
{
    checkstring=$(echo $1 | egrep $ipv4regex)
    if [[ "$?" -eq 0 ]]; then
        return 0
    else
        return -1
    fi
}

# In field case we are removing FTP server
if [ "x$BTSOM_SIMULATED" = "x" ]; then
    killall vsftpd 2>/dev/null
fi

