#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: iptables
# Description:       Enable firewall rules
### END INIT INFO

exec 1> >(logger -s -t $(basename $0)) 2>&1

case $1 in
   start)
        echo -n "firewall start..."
     ### IPv4
        iptables -P INPUT ACCEPT
        iptables -F INPUT
       #unencrypted traffic
        iptables -A INPUT                                                 -s 10.1.0.0/16 -p esp                                                   -j ACCEPT
        iptables -A INPUT                                                 -s 10.1.0.0/16 -p udp   --dport 500  --sport 500                        -j ACCEPT
        iptables -A INPUT                                                 -s 10.1.0.0/16 -p udp   --dport 4500 --sport 4500                       -j ACCEPT
        iptables -A INPUT                                                                -p icmp                                                  -j ACCEPT
       #traffic we wanna see from the VPN
        iptables -A INPUT -m policy --pol ipsec --dir in                  -s 10.1.0.0/16 -p udp   --dport   4789 -m policy --pol ipsec --dir in   -j ACCEPT   # vxlan traffic
        iptables -A INPUT -m policy --pol ipsec --dir in  -m multiport    -s 10.1.0.0/16 -p tcp   --dports 49152:49215                            -j ACCEPT   # libvirt live migration
       #iptables -A INPUT -m policy --pol ipsec --dir in  -m multiport    -s 10.1.0.0/16 -p tcp   --dports 6800:7300                              -j ACCEPT   # ceph traffic

     ##### DROP the rest
        iptables -P INPUT DROP


     #### IPv6
        ip6tables -P INPUT ACCEPT
        ip6tables -F INPUT
        ip6tables -A INPUT                           -p ipv6-icmp        -j ACCEPT
        ip6tables -A INPUT -s fe80::/10              -p tcp  --sport 179 -j ACCEPT
        ip6tables -A INPUT -s fe80::/10              -p tcp  --dport 179 -j ACCEPT
        ip6tables -A INPUT -s 2001:4860:4860::8888   -p udp  --sport  53 -j ACCEPT
        ip6tables -A INPUT -s 2001:4860:4860::8844   -p udp  --sport  53 -j ACCEPT
        ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp  --sport 123 -j ACCEPT
        ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp  --sport 123 -j ACCEPT
       ### DROP the rest
        ip6tables -P INPUT DROP


       #special tables
        iptables -t mangle -F
        iptables -t nat -F
        iptables -t raw -F

        ip6tables -t mangle -F
        ip6tables -t nat -F
        ip6tables -t raw -F


        ip6tables -t raw -A PREROUTING -j NOTRACK
        ip6tables -t raw -A OUTPUT     -j NOTRACK
     ##### temp rules till we get VRF in place in the factory, just flip the 3 rules below
      if ip link show dev mgmt >/dev/null 2>&1; then
          iptables -t raw -A PREROUTING ! -i mgmt1 -j NOTRACK
	  iptables -t raw -A OUTPUT     ! -o mgmt -j NOTRACK
          iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED      -j ACCEPT
          iptables -A INPUT -i mgmt -s 10.0.0.0/8 -p tcp --dport  22          -j ACCEPT
        else
          iptables -A INPUT -m state --state ESTABLISHED,RELATED      -j ACCEPT
          iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport  22          -j ACCEPT
      fi
     ##### end temp rules


        ;;

   stop)
        echo -n "firewall stop..."

        #### Firewall rules
        iptables -P INPUT ACCEPT
        iptables -F
        iptables -t raw -F
        iptables -t nat -F
        iptables -t mangle -F

        ip6tables -P INPUT ACCEPT
        ip6tables -F
        ip6tables -t raw -F
        ip6tables -t nat -F
        ip6tables -t mangle -F

        echo " done"
        ;;
   restart)
        #$0 stop
        $0 start
        ;;
   *)
        echo "use $0 [start|stop|restart]"
        ;;
esac