#**********************************************************************
# Project        : LTE FSMr3
# Component name : IPTABLES script File
# Filename       : iptables_system_util
# Generated by   : Klietz J
# Created        : Fri Jul 27 10:00:00 2012
# Description    : Implementation iptables_system_util script file.
# Revision history (major events only -- see svn comments for details):
# Copyright (c) Nokia 2012 All rights reserved
# Licensed Material - Property of Nokia Networks
#**********************************************************************
#
# Usage:
#   1 .... check_init_fwcfg_env
#   2a ... configure_rnd_ports_service (optional)
#   2b ... configure_trace_data_support (optional)
#   2c ... configure_BTSOAM_TRSMGR_ports (optional)
#   3 .... apply_fwcfg_settings
#
#**********************************************************************

# Init script information
TRS_DATA="/ffs/run/trs_data"
TRS_SIM_DEST="${TRS_DATA}/sim"
INIT_NAME="start_script.conf"

#. /ffs/run/trs_data/sim/start_script.conf
[ -f "${TRS_SIM_DEST}/${INIT_NAME}" ] && . "${TRS_SIM_DEST}/${INIT_NAME}"


ENABLE_SSH=/tmp/ssh_enabled
TRS_RND_FLAG_CHK_FILE=/tmp/trs_rnd_flag
WEB_SSH_OP=/tmp/web_ssh_op
WEB_RND_OP=/tmp/web_gui_rnd
ETHIF=br0

EPORT_LMP=""            # LMP port
UNIT_TYPE=""            # unit type
RND_PORTS_SERVICE=0     # RND service ports status
APPDEF_TXT_PRESENT=0    # AppDef.txt available
BTSOM_EXEC_PRESENT=0    # BTSOM executable present
BTSOM_EXEC_ACT=0        # BTSOM executable activated

#
## Firewall ruleset generated by RmAdapter
##
IPTABLES_FILE_RMADAPTER="/tmp/iptables_firewall_rules"              # fw rs1: summary of all filter rules for IPv4
IPTABLES_FILE_RMADAPTER_IPV6="/tmp/iptables_firewall_rules_ipv6"    # fw rs1: summary of all filter rules for IPv6


IPTABLES_FILE_TNAT="/tmp/iptables_firewall_tnat"        # fw rs2: -t nat
IPTABLES_FILE_TFILTER="/tmp/iptables_firewall_tfilter"  # fw rs2: filter rules
IPTABLES_FILE_TMANGLE="/tmp/iptables_firewall_tmangle"  # fw rs2: -t mangle
IPTABLES_FILE_RS2="/tmp/iptables_firewall_rs2"          # fw rs2: summary of all new filter rules for rs2
IPTABLES_FILE_RS2_IPV6="/tmp/iptables_firewall_rs2v6"               # fw rs2: summary of all new filter rules for rs2 / IPv6

init_fwcfg_env()
{
    EPORT_LMP=""            # LMP port
    UNIT_TYPE=""            # unit type
    ETHSEC_ENABLE=1         # EPSec:      enabled:   1, disabled: 0, default: 1
    RND_PORTS_SERVICE=0     # RND ports   enabled:   1, disabled: 0, default: 0
    APPDEF_TXT_PRESENT=0    # AppDef.txt  available: 1, n.a.:     0, default: 0
    BTSOM_EXEC_PRESENT=0    # BTSOM exec. present:   1, n.a.:     0, default: 0
    BTSOM_EXEC_ACT=0        # BTSOM exec. activated: 1, not act.: 0, default: 0
}

init_fwcfg_rs2()
{
    echo "*filter" > $IPTABLES_FILE_TFILTER
    echo "*nat"    > $IPTABLES_FILE_TNAT
    echo "*mangle" > $IPTABLES_FILE_TMANGLE
}

init_trs_ip_env()
{
    FCT_SYS_IP=192.168.255.1
    if [ -e /tmp/lmp_addr.conf ]; then
        FCT_SYS_IP=`grep FCT_SYS_IP /tmp/lmp_addr.conf |awk -F"=" '{print $2}'`
    fi
    MASTEROM_IP=192.168.255.16
    if [ -e /tmp/lmp_addr.conf ]; then
        MASTEROM_IP=`grep MASTEROM_IP /tmp/lmp_addr.conf |awk -F"=" '{print $2}'`
    fi
}

check_init_fwcfg_env()
{
    init_fwcfg_env

    init_fwcfg_rs2

    init_trs_ip_env

    UNIT_TYPE=`/opt/trs/bin/test_envInfo envInfoUnitTypeIsFzm | grep UNIT` >/dev/null
    $IPTABLES -N DISCARD_CHAIN
    $IPTABLES -A DISCARD_CHAIN -j DROP
    $IPTABLES -N RATELIMIT_CHAIN
    $IPTABLES -A RATELIMIT_CHAIN -j DROP
    $IPTABLES -t mangle -N DISCARD_CHAIN
    $IPTABLES -t mangle -A DISCARD_CHAIN -j DROP

    if [ "UNIT_FZM" = "$UNIT_TYPE" ]; then

        /opt/trs/bin/test_envInfo envInfoIfLMP > /dev/null
        EPORT_LMP=eth$?

        if [ -f $TRS_RND_FLAG_CHK_FILE ]; then
            . $TRS_RND_FLAG_CHK_FILE
        fi
        if [ -e "/tmp/iptables_addresses.conf" ]; then
            ETHSEC_ENABLE=`cat /tmp/iptables_addresses.conf | grep ETHSEC_ENABLE | sed 's/ETHSEC_ENABLE=\([0-1]\)/\1/'` >/dev/null
        else
            ETHSEC_ENABLE=1
        fi
    fi

    if [ -e "/tmp/AppDef.txt" ]; then
        APPDEF_TXT_PRESENT=1

        BTSOM_APP_ENTRY=`cat /tmp/AppDef.txt | grep CELLP` >/dev/null

        if [ -n "$BTSOM_APP_ENTRY" ]; then
            BTSOM_EXEC_PATH=`echo $BTSOM_APP_ENTRY | cut -d';' -f2` >/dev/null

            if [ -n "$BTSOM_EXEC_PATH" ]; then
                if [ -e "$BTSOM_EXEC_PATH" ]; then
                    BTSOM_EXEC_PRESENT=1

                    if [ `echo $BTSOM_APP_ENTRY | cut -d';' -f1` = 'CELLP' ]; then
                        BTSOM_EXEC_ACT=1
                    fi
                fi
            fi
        fi
    fi
}


#
# Precondition: call check_init_fwcfg_env before configure_rnd_ports_service
#
configure_rnd_ports_service()
{
    if [ "UNIT_FZM" = "$UNIT_TYPE" ] && [ "eth1" = "$EPORT_LMP" ]; then
        if [ $ETHSEC_ENABLE = 1 ]; then
            if [ $RND_PORTS_SERVICE -eq 1 ]; then
                echo "-I INPUT 1 -p tcp -i $EPORT_LMP+ --dport 15001:15005  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
                echo "-A MP_TRAFFIC -p tcp -m multiport --dport 15001:15005  -j ACCEPT" >> $IPTABLES_FILE_TFILTER
            else
                echo "-I INPUT -p tcp -m multiport --dport 15001:15005  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
            fi
        else
            if [ $RND_PORTS_SERVICE -eq 1 ]; then
                echo "-I INPUT 1 -p tcp -i $EPORT_LMP+ --dport 15001:15005  -j ACCEPT" >> $IPTABLES_FILE_TFILTER
                echo "-A MP_TRAFFIC -p tcp -m multiport --dport 15001:15005  -j ACCEPT" >> $IPTABLES_FILE_TFILTER
            else
                echo "-I INPUT -p tcp -m multiport --dport 15001:15005  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
            fi
        fi
    fi
}

configure_rnd_ports_service_mangle()
{
    if [ "UNIT_FZM" = "$UNIT_TYPE" ] && [ "eth1" = "$EPORT_LMP" ]; then
        if [ $ETHSEC_ENABLE = 0 ]; then
            if [ $RND_PORTS_SERVICE -eq 1 ]; then
                echo "-A OUTPUT -p tcp -m multiport --sport 15001:15005  -j CHAIN_MPLANE" >> $IPTABLES_FILE_TMANGLE
            fi
        fi
    fi
}

#This is called only when SoE is enabled
configure_spoofing_rules_lmp()
{

    if [ $ETHSEC_ENABLE = 1 ] ; then
#IP_OUT_SPOOF_CHECK_SRC, IP_OUT_SPOOF_CHECK_DST, IP_SPOOF_CHECK_SRC & IP_SPOOF_CHECK_DST already created in configure_spoofing_rules_trs

#Add spoofing chains to Filter-OUTPUT
        echo "-I OUTPUT 3 -o eth1+ -s 192.168.255.0/24 -j IP_OUT_SPOOF_CHECK_SRC"  >> $IPTABLES_FILE_TFILTER
            echo "-I OUTPUT 4 -o eth1+ -d 192.168.255.0/24 -j IP_OUT_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TFILTER



            echo "-I IP_OUT_SPOOF_CHECK_DST 1 -o eth1+ -d 192.168.255.126 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
            echo "-I IP_OUT_SPOOF_CHECK_DST 2 -o eth1+ -d 192.168.255.130 -j ACCEPT" >> $IPTABLES_FILE_TFILTER

            echo "-I IP_OUT_SPOOF_CHECK_SRC 1 -o eth1+ -s 192.168.255.129 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
    fi

}
configure_spoofing_rules_lmp_mangle()
{
    if [ $ETHSEC_ENABLE = 1 ] ; then
#Add spoofing chains to Mangle-PREROUTING
            echo "-I PREROUTING 1 -i eth1+ -d 192.168.254.0/24 -j IP_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TMANGLE
            echo "-I PREROUTING 2 -i eth1+ -s 192.168.254.0/24 -j IP_SPOOF_CHECK_SRC" >> $IPTABLES_FILE_TMANGLE

#Add exceptions for SoE related peer IPs
            echo "-I IP_SPOOF_CHECK_SRC 1 -i eth1+ -s 192.168.255.126 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE
            echo "-I IP_SPOOF_CHECK_SRC 2 -i eth1+ -s 192.168.255.130 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE

            echo "-I IP_SPOOF_CHECK_DST 1 -i eth1+ -d 192.168.255.129 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE
    fi
}

#Make sure that configure_spoofing_rules_trs is called before configure_spoofing_rules_lmp as chains are re-used from configure_spoofing_rules_trs
configure_spoofing_rules_trs()
{
	#For Filter-OUTOUT chain - chains will be reused for LMP interface
	echo "-N IP_OUT_SPOOF_CHECK_SRC" >> $IPTABLES_FILE_TFILTER
	echo "-N IP_OUT_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TFILTER


	#Add spoofing chains to Filter-OUTPUT
	echo "-I OUTPUT 1 -o br0+ -s 192.168.255.0/24 -j IP_OUT_SPOOF_CHECK_SRC"  >> $IPTABLES_FILE_TFILTER
        echo "-I OUTPUT 2 -o br0+ -d 192.168.255.0/24 -j IP_OUT_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TFILTER



        #IP_SPOOF_CHECK_DST - START
	if [ $RND_PORTS_SERVICE -eq 1 ] ; then
        #Filter
        echo "-N IP_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TFILTER
        echo "-I IP_SPOOF_CHECK_DST 1  -m multiport -p tcp -d 192.168.255.1 --dport 15001:15006 -j ACCEPT" >> $IPTABLES_FILE_TFILTER
	fi

        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.64-192.168.255.92  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.96-192.168.255.103  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.125-192.168.255.131  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.141 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.151-192.168.255.159  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.161-192.168.255.169  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.171-192.168.255.179  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.181-192.168.255.189  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.191-192.168.255.199  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.201-192.168.255.209  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.211-192.168.255.219  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.221-192.168.255.229  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.231-192.168.255.239  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        #echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.241-192.168.255.246  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        #IP_OUT_SPOOF_CHECK_DST - END


        #IP_OUT_SPOOF_CHECK_SRC - START
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m multiport -p tcp --sport 15010:15014,389 -j ACCEPT"  >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m multiport -p udp --dport 53 -j ACCEPT"  >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m multiport -p udp --dport 53 -j ACCEPT"  >> $IPTABLES_FILE_TFILTER

        echo "-I IP_OUT_SPOOF_CHECK_SRC 1  -m multiport -p tcp -s 192.168.255.16 --dport 15010:15014 -j ACCEPT" >> $IPTABLES_FILE_TFILTER

        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.1 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.3 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.5 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.16 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.33-192.168.255.35  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.39-192.168.255.41  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.45-192.168.255.47  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.52-192.168.255.59  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.64-192.168.255.92  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.96-192.168.255.103  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.125-192.168.255.131  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -s 192.168.255.141 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.151-192.168.255.159  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.161-192.168.255.169  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.171-192.168.255.179  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.181-192.168.255.189  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.191-192.168.255.199  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.201-192.168.255.209  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.211-192.168.255.219  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.221-192.168.255.229  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.231-192.168.255.239  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        #echo "-A IP_OUT_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.241-192.168.255.246  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        #IP_OUT_SPOOF_CHECK_SRC - END
}

configure_spoofing_rules_trs_mangle(){

	#For Mangle-PREROUTING chain - chains will be reused for LMP interface
	echo "-N IP_SPOOF_CHECK_SRC" >> $IPTABLES_FILE_TMANGLE
	echo "-N IP_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TMANGLE


	#Add spoofing chains to Mangle-PREROUTING
        echo "-I PREROUTING 1 -i br0+ -s 192.168.255.0/24 -j IP_SPOOF_CHECK_SRC" >> $IPTABLES_FILE_TMANGLE
        echo "-I PREROUTING 2 -i br0+ -d 192.168.255.0/24 -j IP_SPOOF_CHECK_DST" >> $IPTABLES_FILE_TMANGLE

        #IP_SPOOF_CHECK_SRC - START
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.1 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.3 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.5 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.16 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.33-192.168.255.35  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.39-192.168.255.41  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.45-192.168.255.47  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.52-192.168.255.59  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.64-192.168.255.92  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.96-192.168.255.103  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.125-192.168.255.131  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -s 192.168.255.141 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.151-192.168.255.159  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.161-192.168.255.169  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.171-192.168.255.179  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.181-192.168.255.189  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.191-192.168.255.199  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.201-192.168.255.209  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.211-192.168.255.219  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.221-192.168.255.229  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.231-192.168.255.239  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        #echo "-A IP_SPOOF_CHECK_SRC  -m iprange --src-range 192.168.255.241-192.168.255.246  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
    	#IP_SPOOF_CHECK_SRC - END
	if [ $RND_PORTS_SERVICE -eq 1 ] ; then
        #Mangle
       	echo "-I IP_SPOOF_CHECK_DST 1  -m multiport -p tcp -d 192.168.255.1 --dport 15001:15006 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE
    fi
        echo "-I IP_SPOOF_CHECK_DST 1  -m multiport -p tcp -d 192.168.255.16 --dport 15010:15014 -j ACCEPT" >> $IPTABLES_FILE_TMANGLE

        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.1 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.3 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.5 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.16 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.33-192.168.255.35  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.39-192.168.255.41  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.45-192.168.255.47  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.52-192.168.255.59  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.64-192.168.255.92  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.96-192.168.255.103  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.125-192.168.255.131  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -d 192.168.255.141 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.151-192.168.255.159  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.161-192.168.255.169  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.171-192.168.255.179  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.181-192.168.255.189  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.191-192.168.255.199  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.201-192.168.255.209  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.211-192.168.255.219  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.221-192.168.255.229  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.231-192.168.255.239  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        #echo "-A IP_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.241-192.168.255.246  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TMANGLE
        #IP_SPOOF_CHECK_DST - END

        #IP_OUT_SPOOF_CHECK_DST - START
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.1 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.3 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.5 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -d 192.168.255.16 -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.33-192.168.255.35  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.39-192.168.255.41  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.45-192.168.255.47  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
        echo "-A IP_OUT_SPOOF_CHECK_DST  -m iprange --dst-range 192.168.255.52-192.168.255.59  -j DISCARD_CHAIN" >> $IPTABLES_FILE_TFILTER
}

# Xoh BTS_OAM(12000), Standalone TRS Mgr(14000)
#
# Precondition: call check_init_fwcfg_env before configure_BTSOAM_TRSMGR_ports
#
configure_BTSOAM_TRSMGR_ports()
{
   if [ ! -f $IPTABLES_FILE_RMADAPTER ]; then
       echo "-N ETH_SECURITY_CHAIN" >> $IPTABLES_FILE_TFILTER
   fi
    if [ $APPDEF_TXT_PRESENT -eq 1 ] && [ $BTSOM_EXEC_PRESENT -eq 1 ] && [ $BTSOM_EXEC_ACT -eq 1 ]; then
        if [ -n "$IP_MPLANE" ]; then
	    echo "-A MP_TRAFFIC -p tcp --dport 12000 -m state --state NEW -j ACCEPT" >> $IPTABLES_FILE_TFILTER
        fi
    else
        if [ -n "$IP_MPLANE" ]; then
            echo "-A MP_TRAFFIC -p tcp -m multiport --dport 14000 -m state --state NEW -j ACCEPT" >> $IPTABLES_FILE_TFILTER
        fi
        if [ $ETHSEC_ENABLE -ne 0 ]; then
            INDEX=""
            if [ "$IPVERSION" = "4" ]; then
                INDEX=2
            fi
	        echo "-I ETH_SECURITY_CHAIN $INDEX -p tcp --dport 14000 -m state --state NEW -j ACCEPT" >> $IPTABLES_FILE_TFILTER
        fi
    fi
}


configure_rate_limiting_rules()
{
    echo "-N RENEG_RULE" >> $IPTABLES_FILE_TFILTER
   if [ ! -f $IPTABLES_FILE_RMADAPTER ]; then
       echo "-N INGRESS_ICMP" >> $IPTABLES_FILE_TFILTER
   fi

    # check for "encrypt handshake" message
    var1="0>>22&0x3C@12>>26&0x3C@0>>24&0xFF=22&&0>>22&0x3C@12>>26&0x3C@1&0xFFFF@2&0xFF=20"
    echo "-A RENEG_RULE -p tcp -m u32 --u32 $var1 -m connmark --mark 0x200/0x300 -j CONNMARK --set-mark 0x300/0x300" >> $IPTABLES_FILE_TFILTER

    # check for "client key exchange" message
    var2="0>>22&0x3C@12>>26&0x3C@2&0xFF=16"
    echo "-A RENEG_RULE -p tcp -m u32 --u32 $var2 -m connmark --mark 0x100/0x300 -j CONNMARK --set-mark 0x200/0x300" >> $IPTABLES_FILE_TFILTER

    # check for "client hello" message
    var3="0>>22&0x3C@12>>26&0x3C@2&0xFF=1"
    echo "-A RENEG_RULE -p tcp -m u32 --u32 $var3 -m connmark --mark 0x000/0x300 -j CONNMARK --set-mark 0x100/0x300" >> $IPTABLES_FILE_TFILTER


    # Check for renegotiation and reject if required
    echo "-A RENEG_RULE -p tcp -m connmark --mark 0x300/0x300 -m u32 --u32 $var1 -m hashlimit --hashlimit-above 5/minute --hashlimit-burst 5 --hashlimit-mode srcip,srcport --hashlimit-name ssl-reneg -j REJECT --reject-with tcp-reset" >> $IPTABLES_FILE_TFILTER

    # check for TLS version
       var4="0>>22&0x3C@12>>26&0x3C@0>>8=0x160300:0x160303"

    if [ "$IPVERSION" = "4" ]; then
        if [ "x$BTSOM_SIMULATED" = "x" ]; then
        #field case
                echo "-I INPUT 1 -m hashlimit -m tcp -p tcp --dport 22 --hashlimit-above 300/minute --hashlimit-burst 350 --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j RATELIMIT_CHAIN" >> $IPTABLES_FILE_TFILTER
                echo "-I INPUT 2 -m hashlimit -m tcp -p tcp --dport 443 --hashlimit-above 300/minute --hashlimit-burst 350 --hashlimit-mode srcip --hashlimit-name https -m state --state NEW -j RATELIMIT_CHAIN" >> $IPTABLES_FILE_TFILTER
        else
        #simulation test case
                echo "-I INPUT 1 ! -i eth1 -m hashlimit -m tcp -p tcp --dport 22 --hashlimit-above 300/minute --hashlimit-burst 350 --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j RATELIMIT_CHAIN" >> $IPTABLES_FILE_TFILTER
                echo "-I INPUT 2 ! -i eth1 -m hashlimit -m tcp -p tcp --dport 443 --hashlimit-above 300/minute --hashlimit-burst 350 --hashlimit-mode srcip --hashlimit-name https -m state --state NEW -j RATELIMIT_CHAIN" >> $IPTABLES_FILE_TFILTER
        fi

        echo "-I INPUT 3 -i br0+ -p tcp -m multiport --dport 6001,14000,12000,3300,443  -m u32  --u32 $var4 -j RENEG_RULE " >> $IPTABLES_FILE_TFILTER

        echo "-I INPUT 4 -i eth1+ -p tcp -m multiport --dport 6001,14000,12000,3300,443  -m u32  --u32 $var4 -j RENEG_RULE " >> $IPTABLES_FILE_TFILTER

        echo "-I INPUT 6 -p ICMP -j INGRESS_ICMP" >> $IPTABLES_FILE_TFILTER

        # 9 tcp connection limit imposed to reject simultaneous connections above 9
        echo "-I INPUT 9 -p tcp --dport 443 -m connlimit --connlimit-above 9  -j REJECT --reject-with tcp-reset" >> $IPTABLES_FILE_TFILTER
    else

        echo "-I INPUT 3 -p icmpv6 -j INGRESS_ICMP" >> $IPTABLES_FILE_TFILTER
    fi
}

configure_catch_all_rule()
{
    if [ "$IPVERSION" = "4" ]; then
        echo "-I INPUT 9 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $IPTABLES_FILE_TFILTER
    else
        echo "-I INPUT 4 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT" >> $IPTABLES_FILE_TFILTER
    fi
}

configure_ethSec_rule()
{
   if [ "$IPVERSION" = "6" ]; then
       return
   fi

   if [ ! -f $IPTABLES_FILE_RMADAPTER ]; then
       echo "-N ETH_SECURITY_SRC" >> $IPTABLES_FILE_TFILTER
   fi
   if [ $ETHSEC_ENABLE -ne 0 ]; then
       if [ "$IPVERSION" = "4" ]; then
           echo "-I INPUT 9 -i eth1+ -j ETH_SECURITY_SRC" >> $IPTABLES_FILE_TFILTER
       else
           echo "-I INPUT 4 -i eth1+ -j ETH_SECURITY_SRC" >> $IPTABLES_FILE_TFILTER
       fi
   fi
}

#
# Apply firewall rules generated by the functions above.
#
apply_fwcfg_settings()
{

    if [ "$IPVERSION" = "6" ]; then
        echo "#Generated by iptables_system utility functions" > $IPTABLES_FILE_RS2_IPV6

        echo "COMMIT" >> $IPTABLES_FILE_TFILTER
        echo "COMMIT" >> $IPTABLES_FILE_TNAT
        echo "COMMIT" >> $IPTABLES_FILE_TMANGLE

        cat $IPTABLES_FILE_TFILTER >> $IPTABLES_FILE_RS2_IPV6

        # -t nat currently not available in ip6tables
        # -> activate when the NAT below is also required (and supported) in IPv6 case
        # cat $IPTABLES_FILE_TNAT    >> $IPTABLES_FILE_RS2_IPV6

        cat $IPTABLES_FILE_TMANGLE >> $IPTABLES_FILE_RS2_IPV6

    else


        echo "#Generated by iptables_system utility functions" > $IPTABLES_FILE_RS2

        echo "COMMIT" >> $IPTABLES_FILE_TFILTER
        echo "COMMIT" >> $IPTABLES_FILE_TNAT
        echo "COMMIT" >> $IPTABLES_FILE_TMANGLE

        cat $IPTABLES_FILE_TFILTER >> $IPTABLES_FILE_RS2


        cat $IPTABLES_FILE_TNAT    >> $IPTABLES_FILE_RS2

        cat $IPTABLES_FILE_TMANGLE >> $IPTABLES_FILE_RS2

    fi
}

ipv4regex="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"

is_ipv4_addr()
{
    checkstring=$(echo $1 | egrep $ipv4regex)
    if [[ "$?" -eq 0 ]]; then
        return 0
    else
        return -1
    fi
}

# In field case we are removing FTP server
if [ "x$BTSOM_SIMULATED" = "x" ]; then
    killall vsftpd 2>/dev/null
fi

