#!/bin/bash
# @(#)(CAcert) $Id: firewall,v 1.6 2016/08/03 09:35:37 root Exp $

# Common functions
iptables()      # function for setting IPv4/IPv6 rules at the same time
{
        /usr/sbin/iptables "$@"
        /usr/sbin/ip6tables "$@"
}

ip4tables()     # function for setting IPv4-specific rules
{
        /usr/sbin/iptables "$@"
}

ip6tables()     # function for setting IPv6-specific rules
{
        /usr/sbin/ip6tables "$@"
}

ip4or6()	# function for address-based IPv4/IPv6 choice
{
	case "$1" in
	*:*)	echo ip6tables
		;;
	*\.*)	echo ip4tables
		;;
	*)	echo $0: cannot recognize address $1 1>&2
		echo false
		;;
	esac
}

IP=iptables
IP4=ip4tables
IP6=ip6tables

# Cleanup
$IP -F
$IP -X
$IP4 -F -t nat
$IP4 -X -t nat
$IP -F -t mangle
$IP -X -t mangle

# To ease the system
$IP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow logging
$IP4 -A OUTPUT -p udp -d 172.28.50.101 --dport 514 -j ACCEPT

# Allow dns
$IP4 -A OUTPUT -p udp -d 172.28.50.2 --dport 53 -j ACCEPT
$IP4 -A OUTPUT -p udp -d 172.28.50.3 --dport 53 -j ACCEPT

# Allow ICMP Echo and ICMP Time Exceeded and all ICMPv6
$IP4 -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
$IP4 -A INPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
$IP6 -A INPUT -p ICMPv6 -j ACCEPT
$IP4 -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
$IP4 -A OUTPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
$IP6 -A OUTPUT -p ICMPv6 -j ACCEPT

# root can disable this firewall, so don't be stupid
$IP -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
grep -v ^# /etc/firewall/allowedto|while read -r name uid dests
do
  for dest in $dests
  do
    FUNC=`ip4or6 $dest`
    $FUNC -A OUTPUT -m owner --uid-owner $uid -d $dest -j LOG --log-prefix "user:${name} : "
    $FUNC -A OUTPUT -m owner --uid-owner $uid -d $dest -j ACCEPT
  done
done

# reject all the rest for outgoing
$IP -A OUTPUT -j LOG --log-prefix "output: "
$IP -A OUTPUT -j REJECT

# who can enter at port 22?
grep -v ^# /etc/firewall/allowedfrom|while read -r name froms
do
  for from in $froms
  do
    FUNC=`ip4or6 $from`
    $FUNC -A INPUT -p tcp --dport 22 -s $from -j LOG --log-prefix "user:${name} : "
    $FUNC -A INPUT -p tcp --dport 22 -s $from -j ACCEPT
  done
done

# DROP everything from the internets
$IP -P INPUT DROP
# reject nicely to speedup local errors
$IP -P OUTPUT DROP
# DROP stuff we don't want to do
$IP -P FORWARD DROP