#!/bin/bash

### BEGIN INIT INFO
# Provides:          init-firewall
# Required-Start:    $syslog $network
# Required-Stop:     $syslog
# Should-Start:      $local_fs
# Should-Stop:       $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: NuFace firewall script
# Description:       Firewall script created by nuface.
### END INIT INFO

#
# NuFace firewall script
# 2005-2006 INL
# chkconfig: 2345 80 30
# description: init-firewall is a script set by NuFace
#

ipt="/sbin/iptables"
iptsave="/sbin/iptables-save"
iptrestore="/sbin/iptables-restore"
nupyf="/usr/sbin/nupyf"
ETCDIR=/etc/nuface
BASEDIR=/var/lib/nuface
MODE_FILE=$BASEDIR/mode
LOCAL_RULES_D=$BASEDIR/local_rules.d
LOCAL_NAT_RULES=$BASEDIR/nat
STOP_RULES=$BASEDIR/stop_rules
BACKUP_FILE=/var/lib/nuface/backups/firewall_good_conf
MANGLE_RULES_PRE=$BASEDIR/pre-mangle
MANGLE_RULES_POST=$BASEDIR/post-mangle
MANGLE_RULES_DYN=$BASEDIR/dyn/vpn_rules
BASEDIR_DYN=$BASEDIR/dyn

TMP_RULES=$BASEDIR/iptables_rules
NUFW_RULES_DIR=$BASEDIR_DYN/nufw
STD_RULES_DIR=$BASEDIR_DYN/standard
DISPATCH_RULES=dispatch_rules
DEFAULT_ESTREL_INVALID=default_estrel_invalid
DISPATCH_TARGETS=dispatch_targets
FWD_RULES=forward_rules
INPUT_RULES=input_rules
OUTPUT_RULES=output_rules
NAT_RULES=nat_rules
MANGLE_RULES=mangle_rules
L7_RULES=l7_rules

LDAP_DATA=$BASEDIR/dyn/ldap_objects
NUPYF_CONF=$ETCDIR/nupyf.conf

LOCK_FILE=/var/lock/fw-init

FAIL2BAN=/etc/init.d/fail2ban
FAIL2BAN_ENABLED=

MANAGE_NAT=1
MANAGE_FORWARD=1

# test generated files rules
for dir in $NUFW_RULES_DIR $STD_RULES_DIR; do

  if [ ! -f $dir/$DISPATCH_RULES ]; then
    echo "Sorry. Can't find file ${dir}/${DISPATCH_RULES}"
    exit 1
  fi
  if [ ! -f $dir/$DEFAULT_ESTREL_INVALID ]; then
    echo "Sorry. Can't find file ${dir}/${DEFAULT_ESTREL_INVALID}"
    exit 1
  fi
  if [ ! -f $dir/$DISPATCH_TARGETS ]; then
    echo "Sorry. Can't find file ${dir}/${DISPATCH_TARGETS}"
    exit 1
  fi
  if [ ! -f $dir/$FWD_RULES ]; then
    echo "Sorry. Can't find file ${dir}/${FWD_RULES}"
    exit 1
  fi
  if [ ! -f $dir/$MANGLE_RULES ]; then
    echo "Sorry. Can't find file ${dir}/${MANGLE_RULES}"
    exit 1
  fi
  if [ ! -f $dir/$INPUT_RULES ]; then
    echo "Sorry. Can't find file ${dir}/${INPUT_RULES}"
    exit 1
  fi
  if [ ! -f $dir/$OUTPUT_RULES ]; then
    echo "Sorry. Can't find file ${dir}/${OUTPUT_RULES}"
    exit 1
  fi
  if [ $MANAGE_NAT = 1 ] && [ ! -f $dir/$NAT_RULES ]; then
    echo "Sorry. Can't find file ${dir}/${NAT_RULES}"
    exit 1
  fi
done


set_policy_to_drop() {
  $ipt -P INPUT DROP
  $ipt -P FORWARD DROP
}

reload_good_conf() {
  remove_trap_err
  echo "A problem occured, reloading old config"
  $iptrestore < ${BACKUP_FILE}
  rm ${LOCK_FILE}
  exit 1
}

try_run(){
    if [ -f $1 ]; then
	. $1
    fi
}

#define script behaviour on ERR/EXIT
define_trap_err(){
    set -e
    trap reload_good_conf ERR EXIT
}
# remove special function on ERR/EXIT
remove_trap_err(){
    set +e
    trap - ERR EXIT
}

reset_chains() {
    $ipt -F
    $ipt -X
    $ipt -t nat -F
    $ipt -t nat -X
    $ipt -t mangle -F
    $ipt -t mangle -X
}

reload_periods() {
    echo "Reloading periods"
    echo "reload periods"|nuauth_command >/dev/null || true
}

refresh_cache() {
    echo "Refreshing cache"
    echo "refresh cache"|nuauth_command >/dev/null || true
}

# Load iptables mangle rules
load_mangle(){
   if [ -f $MANGLE_RULES_PRE ] && [ -f $MANGLE_RULES_POST ]; then
     . $MANGLE_RULES_PRE
     . $MANGLE_RULES_POST
     if [ -f $MANGLE_RULES_DYN  ]; then
       . $MANGLE_RULES_DYN
     fi
   fi
}

load_iptables_rules() {
    sed -e 's/#.*$//g;/^$/D' | cat > $TMP_RULES
    echo "COMMIT" >> $TMP_RULES
    remove_trap_err
    $iptrestore < $TMP_RULES
    exitcode=$?
    if [ $exitcode -ne 0 ]; then
        echo "--- iptables rules ---"
        cat -n $TMP_RULES
        echo "--- iptables rules ---"
    fi
    rm $TMP_RULES
    define_trap_err
    if [ $exitcode -ne 0 ]; then
        exit 1
    fi
}

# load rules generated by nuface
# arg1: directory where rules files has been written
load_dyn_rules(){
  dir=$1
  FILES="$dir/$DISPATCH_RULES $dir/$INPUT_RULES $dir/$OUTPUT_RULES"
  if [ $MANAGE_FORWARD = 1 ]; then
    FILES="$FILES $dir/$FWD_RULES"
  fi

  echo " o dispatch and filter rules"
  (echo -e "*filter\n:FORWARD ACCEPT\n:INPUT ACCEPT\n:OUTPUT ACCEPT\n"; \
   special_reload_rules start; \
   cat $(find_local_rules filter) $dir/$DISPATCH_TARGETS $(find_local_rules filter .targets) $dir/$DEFAULT_ESTREL_INVALID $(find_local_rules filter .dispatch) $FILES $(find_local_rules filter .post) \
  ) | load_iptables_rules

  if [ $MANAGE_NAT = 1 ]; then
    echo " o nat rules"
    (echo -e "*nat\n:PREROUTING ACCEPT\n:POSTROUTING ACCEPT\n:OUTPUT ACCEPT\n"; \
     cat $(find_local_rules nat) $dir/$NAT_RULES $(find_local_rules nat .post) \
    ) | load_iptables_rules
  fi

  # load mangle rules
  ASTRING="*mangle\n:PREROUTING ACCEPT\n:POSTROUTING ACCEPT\n:OUTPUT ACCEPT\n:INPUT ACCEPT\n:FORWARD ACCEPT"
  echo " o mangle rules"
  load_mangle
  if [ -f $dir/$MANGLE_RULES ]; then
    if [ -f $BASEDIR_DYN/$L7_RULES ]; then
      (echo -e $ASTRING; \
        cat $(find_local_rules mangle) $dir/$MANGLE_RULES \
            $BASEDIR_DYN/$L7_RULES $(find_local_rules mangle .post) \
      ) | load_iptables_rules
    else
      (echo -e $ASTRING; \
       cat $(find_local_rules mangle) $dir/$MANGLE_RULES $(find_local_rules mangle .post) \
      ) | load_iptables_rules
    fi
  fi
}


# find files in local_rules.d that begin with a
# fixed prefix
# optional fixed suffix
# args: prefix suffix to search for
find_local_rules(){
    prefix=$1
    suffix=$2

    if [ -d $LOCAL_RULES_D ]; then
        for f in $LOCAL_RULES_D/$prefix*.rules${suffix}; do
            if [ -f $f ]; then
                echo -n "$f "
            fi
        done
    fi
}

# special rules to prevent firewall to be open
# during rules reloading
# output: rules suitable for iptables-restore
special_reload_rules(){
    arg=''
    if [ $1 = "start" ]; then
        arg="A"
    else
        arg="D"
    fi
    echo "-$arg FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
    echo "-$arg FORWARD -j DROP"
}

#
# delete rules coming from functin special_reload_rules
exec_reload_rules(){
    special_reload_rules $1 | while read line; do
        $ipt $line
    done
}

# rules loaded at stop
load_stop_rules(){
    $ipt -I FORWARD -j DROP
}

backup_iptables(){
    # load iptables module needed by iptables-save
    # (to get "/proc/net/ip_tables_names" proc entry)
    modprobe iptable_filter

    # save current iptables configuration
    echo "Saving current configuration as good in ${BACKUP_FILE}"
    $iptsave > ${BACKUP_FILE}

    # check if iptables-save worked correctly
    # itpables < 1.4 creates empty file if iptable_filter module is not loaded
    if [ $? -ne 0 -o ! -s ${BACKUP_FILE} ]; then
        echo "ERROR: $iptsave failure"
        echo "Make sure that iptables module is correctly loaded"
        exit 1
    fi
}

remove_lock(){
    rm ${LOCK_FILE}
}

if [ -f $LOCK_FILE ]; then
  echo "Lock file ${LOCK_FILE} exists. Is script already running? If not, please delete lock by hand."
  exit 1
fi

if [ "$2" = "--debug" ]; then
    set -x
    nupyf="$nupyf --debug"
fi

touch $LOCK_FILE

# Get the mode
MODE=$1
if [ "$MODE" = "standard" ]; then
    # standard is an alias of nonufw mode
    MODE=nonufw
fi
if [ "$MODE" = "nufw" -o "$MODE" = "nonufw" ]; then
    echo $MODE >| $MODE_FILE
elif [ "$MODE" = "start" -o "$MODE" = "restart" -o "$MODE" = "reload" -o "$MODE" = "force-reload" ]; then
    # Replace start|restart|reload|force-reload by nufw or nonufw
    test -e $MODE_FILE && grep -q nonufw $MODE_FILE
    if [ $? -eq 0 ]; then
        MODE="nonufw"
    else
        MODE="nufw"
    fi
fi

trap remove_lock EXIT

case $MODE in
  nufw)
    backup_iptables
    define_trap_err
    set_policy_to_drop
    reset_chains
    reload_periods
    refresh_cache
    echo "Loading new firewall configuration"
    echo " o Local rules"
    load_dyn_rules $NUFW_RULES_DIR
    if [ -f $LOCAL_NAT_RULES ]; then
      . $LOCAL_NAT_RULES
    fi
    load_mangle
    remove_trap_err
    if [ -f $LDAP_DATA  ]; then
      echo "Merging ldap with nupyf"
      define_trap_err
      $nupyf --config $NUPYF_CONF --loadldap $LDAP_DATA
      rm -f $LDAP_DATA
    fi
    exec_reload_rules stop
    echo "Enable IPv4 forward"
    echo 1 >| /proc/sys/net/ipv4/ip_forward
  ;;
  stop)
    echo "Loading stopped configuration"
    reset_chains
    echo " o Local rules"
    #do not load forward or nat rules
    MANAGE_FORWARD=0
    MANAGE_NAT=0
    load_dyn_rules $STD_RULES_DIR
    exec_reload_rules stop
    load_stop_rules

if [ -f $STOP_RULES ]; then
    echo " o Stop Rules"
    . $STOP_RULES
    exec_reload_rules stop
fi
  ;;
  nonufw)
    backup_iptables
    define_trap_err
    set_policy_to_drop
    reset_chains
    echo 'Loading non-authenticating firewall configuration'
    echo " o Local rules"
    load_dyn_rules $STD_RULES_DIR
    if [ -f $LOCAL_NAT_RULES ]; then
      . $LOCAL_NAT_RULES
    fi
    exec_reload_rules stop
    echo "Enable IPv4 forward"
    echo 1 >| /proc/sys/net/ipv4/ip_forward
  ;;
  *)
    echo "Usage: $0 start|restart|reload|force-reload|nufw|nonufw|stop"
  ;;
esac

if [ "x$FAIL2BAN_ENABLED" = "x1" ] && [ -x $FAIL2BAN ]; then
    $FAIL2BAN restart
fi

remove_trap_err
rm ${LOCK_FILE}