#!/bin/sh
# environment lte wmp specific system iptables file
# take a look into iptables for further help
# all proto's are ip

#**********************************************************************
# Project        : LTE FSMr3
# Component name : IPTABLES script File
# Filename       : iptables_system_ltwmp
# Generated by   : Vishwanatha R / Kishan K
# Created        : Fri Apr 29 02:00:04 2011
# Description    : Implementation iptables_system_ltwmp script file.
# Revision history (major events only -- see ClearCase comments for details):
# Copyright (c) Nokia 2009 All rights reserved
# Licensed Material - Property of Nokia Networks
#**********************************************************************

. `dirname "$0"`/iptables_system_util

stop_system(){
    # this creates the Vulnerability in to the system.

    #reset_chains
    echo "stop_system() called..."
}

start_system()
{
     generate_system_rules
     #once iptables save file is generated now flush the iptables.
     # Firewall rules
     #configure_RmAdapter_rules
     # apply rules generated in the files
     apply_fwcfg_settings

     # Apply all the rules generated using iptables commands.
     apply_rules
}

# Do not add iptables Rules here. It will increase the iptables restart time.
generate_system_rules()
{
    check_init_fwcfg_env
    LOCALHOST="127.0.0.1"
    if [ "$IPVERSION" == "6" ]; then
        LOCALHOST="::1"
    fi

    $IPTABLES -A INPUT ! -s  $LOCALHOST -p tcp --dport 15007  -j DISCARD_CHAIN

     # to allow communication between master and slave boards
     $IPTABLES -A INPUT -i eth4 -j ACCEPT
     # enable 16009 CC&S Syscom traffic Intra-Zone
     if [ -e "/tmp/isFZAP" ]; then
         $IPTABLES -A INPUT -p udp --dport 16009 -j ACCEPT
     else
         $IPTABLES -A INPUT -p udp --dport 16009 -j DISCARD_CHAIN
     fi

    if [ -e "/tmp/iptables_addresses.conf" ]; then
        /opt/trs/bin/test_envInfo envInfoIfTRS > /dev/null
        EPORT=eth$?+
        ETHIF=br0

# Temporary check to avoid error messages on console (-m addrtype currently not available in ip6tables)
        $IPTABLES -t mangle -A PREROUTING -i br0+ -m mark  --mark 2 -j ACCEPT #Marking packets for ipv4 multicast packets in case of L2Switching.



        if [ "$IPVERSION" = "6" ]; then
             $IPTABLES -t mangle -A PREROUTING -i ${ETHIF}+ -s ff00::/9 -j DISCARD_CHAIN
             $IPTABLES -t mangle -A PREROUTING -i ${ETHIF}+ -d ff00::/9 -j ACCEPT

        fi

         configure_rnd_ports_service

         if [ "$NTP_SYNC_AS_REF" = "1" ]; then
                $IPTABLES -t nat -I POSTROUTING 1 -o br0+ -p udp --dport 123 -j SNAT --to-source :30001-30010
         fi

         if [ "$IPVERSION" = "4" ]; then
            conntrack -D -p udp --sport 123
         elif [ "$IPVERSION" == "6" ]; then
            conntrack -f ipv6 -D -p udp --sport 123
         fi

         #Transport support for trace data
         $IPTABLES -A INPUT -p esp -j ACCEPT
     fi


     # Xoh BTS_OAM and Standalone TRS Mgr port handling
    configure_BTSOAM_TRSMGR_ports

    if [ "$IPVERSION" = "4" ]; then
        #Prevent spoofing for IPv4
        configure_spoofing_rules_trs
        configure_spoofing_rules_lmp
    fi

    # Configure Rate Limiting Rules
    configure_rate_limiting_rules

    # Configure Catch all rule
    configure_catch_all_rule
    # Configure SoE rule
    BTSOM_SIMULATED="false"
    if [ -e "/ffs/run/trs_data/sim/start_script.conf" ]; then
        BTSOM_SIMULATED=`cat /ffs/run/trs_data/sim/start_script.conf | grep BTSOM_SIMULATED | cut -d'=' -f2` >/dev/null
    fi
    if [ $BTSOM_SIMULATED != "y" ] && [ $BTSOM_SIMULATED != "Y" ] && [ $BTSOM_SIMULATED != "Yes" ] && [ $BTSOM_SIMULATED != "yes" ]; then
        configure_ethSec_rule
    fi


    # User defined Rules
    # Be careful while using "iptables_exit" (duplicating code). This can exit
    # iptables skipping full execution.
    tryinclude /tmp/iptables_user_ltwmp.script      # This_is_a_Hack_Please_DoNot_Remove
    if [ $? -eq 1 ]; then
        set_user_rules
    fi

    #Below rules is meant only for standalone mode.
    tryinclude /tmp/iptables_test_loopback.script   # This_is_a_Hack_Please_DoNot_Remove
    if [ $? -eq 1 ]; then
        set_sctp_loopback_rules
    fi

    tryinclude /ffs/run/trs_data/sim/SCTP_TEST_ENABLE
    if [ $? -eq 1 ]; then
        $IPTABLES -t mangle -I PREROUTING 1 -i ${ETHIF}+ -p sctp -j MARK --set-mark 100
        $IPTABLES -t mangle -I PREROUTING 2 -i ${ETHIF}+ -p sctp -j ACCEPT

        # Temporary check to avoid error messages on console (-m addrtype currently not available in ip6tables)

        $IPTABLES -t mangle -D PREROUTING -i ${ETHIF}+ -m addrtype ! --dst-type LOCAL -j DISCARD_CHAIN
        $IPTABLES -A FORWARD -p sctp -j ACCEPT
    fi

    $IPTABLES  -A FORWARD  -m mark  --mark 2 -j ACCEPT

   #DNS

   if [ "$IPVERSION" = "4" ]; then
   if [ "x$IP_DNS_SERVER1" != "x" ] ; then
      if [[ "x$IP_MPLANE" != "x" ]] && [[ "$IP_MPLANE" != *":"* ]] ; then
	  $IPTABLES -t nat -A POSTROUTING -d $IP_DNS_SERVER1 -p udp --dport 53 -j SNAT --to-source $IP_MPLANE
      fi

      $IPTABLES -A INPUT -s $IP_DNS_SERVER1 -p udp --sport 53 -j ACCEPT
      $IPTABLES -A INPUT -s $IP_DNS_SERVER1 -p tcp --sport 53 -j ACCEPT

      if [ "x$IP_DNS_SERVER2" != "x" ]; then
        if [[ "x$IP_MPLANE" != "x" ]] && [[ "$IP_MPLANE" != *":"* ]] ; then
	       $IPTABLES -t nat -A POSTROUTING -d $IP_DNS_SERVER2 -p udp --dport 53 -j SNAT --to-source $IP_MPLANE
	   fi

	   $IPTABLES -A INPUT -s $IP_DNS_SERVER2 -p udp --sport 53 -j ACCEPT
	   $IPTABLES -A INPUT -s $IP_DNS_SERVER2 -p tcp --sport 53 -j ACCEPT
      fi
    fi
    fi

    if [ "$IPVERSION" = "4" ]; then
    #DROP PACKETS WITH IP OPTIONS
    $IPTABLES -I INPUT 1 -m u32 --u32 "0&0x0F000000=0x06000000:0x0F000000" ! -p igmp -j DISCARD_CHAIN
    fi
 }


status_system()
{
    echo "======================================================================"
    echo "                       filter - table"
    echo "======================================================================"
    $IPTABLES -v -n -L
}
