#!/bin/bash
((EUID == 0 )) || { echo "Need root"; exit 1; }
set -euo pipefail
confd=/etc/e-router
source $confd/config

set_defaults() {
    /usr/lib/systemd/scripts/iptables-flush
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP
}

setup_final(){
    if $loginput ; then
        setup_wandroplog
        iptables -A INPUT -j WAN-LOG-DROP
    else
        iptables -A INPUT -j DROP
    fi
}

setup_wandroplog() {
    iptables -N WAN-LOG-DROP
    if $debugtcp; then
        iptables -A WAN-LOG-DROP -p tcp  -j LOG --log-prefix  "WAN-LOG-DROP TCP: " --log-level 7
        iptables -A WAN-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
    fi
    if $debugudp; then
        iptables -A WAN-LOG-DROP -p udp  -j LOG --log-prefix  "WAN-LOG-DROP UDP: " --log-level 7
        iptables -A WAN-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
    fi
    if $debugicmp; then
        iptables -A WAN-LOG-DROP -p icmp -j LOG --log-prefix  "WAN-LOG-DROP ICMP: " --log-level 7
        iptables -A WAN-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
    fi
}

setup_fordroplog() {
    iptables -N FORWARD-LOG-DROP
    if $debugtcp; then
        iptables -A FORWARD-LOG-DROP -p tcp  -j LOG --log-prefix "FORWARD-LOG-DROP TCP: " --log-level 7
        iptables -A FORWARD-LOG-DROP -p tcp -j REJECT --reject-with tcp-reset
    fi
    if $debugudp; then
        iptables -A FORWARD-LOG-DROP -p udp  -j LOG --log-prefix "FORWARD-LOG-DROP UDP: " --log-level 7
        iptables -A FORWARD-LOG-DROP -p udp -j REJECT --reject-with icmp-port-unreachable
    fi
    if $debugicmp; then
        iptables -A FORWARD-LOG-DROP -p icmp -j LOG --log-prefix "FORWARD-LOG-DROP ICMP: " --log-level 7
        iptables -A FORWARD-LOG-DROP -j REJECT --reject-with icmp-proto-unreachable
    fi
}

setup_nat() {
    iptables -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
}

setup_forward() {
    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
    if $logforward ; then
        setup_fordroplog
        iptables -A FORWARD -j FORWARD-LOG-DROP
    else
        iptables -A FORWARD -j DROP
    fi
}

setup_base() {
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i ${eth0} -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
}

setup_whitenets() {
    ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl
    while read -r net ; do
        [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
        ipset -! add  $whiteset $net timeout 0
    done < $confd/WHITE.nets
}

setup_badips() {
    ipset create -! $banset hash:ip hashsize 4096 timeout $banttl
    iptables -A INPUT -i ${wan} -p udp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $banset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
}

setup_scanips() {
    ipset create -! $scanset hash:ip hashsize 4096 timeout $scanttl
    iptables -A INPUT -i ${wan} -p udp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto UDP -j REJECT --reject-with icmp-port-unreachable
    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $scanset src -m conntrack --ctstate NEW --ctproto TCP -j REJECT --reject-with tcp-reset
}

setup_white() {
    iptables -N FW-FILTERED
    while read -r port ; do
        [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
        iptables -A FW-FILTERED -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
    done < $confd/WHITE.udp
    while read -r port ; do
        [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
        iptables -A FW-FILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
    done < $confd/WHITE.tcp
    iptables -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FW-FILTERED
    iptables -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FW-FILTERED
    iptables -A INPUT -i ${wan} -p icmp --icmp-type 8 -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto ICMP -j ACCEPT
}

setup_open() {
    iptables -N FW-OPEN
    while read -r port ; do
        [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
        iptables -A FW-OPEN -p udp -m conntrack --ctstate NEW --ctproto UDP --dport $port -j ACCEPT
    done < $confd/Public.udp
    while read -r port ; do
        [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
        iptables -A FW-OPEN -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
    done < $confd/Public.tcp
    iptables -A INPUT -i ${wan} -p udp -m conntrack --ctstate NEW --ctproto UDP -j FW-OPEN
    iptables -A INPUT -i ${wan} -p tcp -m conntrack --ctstate NEW --ctproto TCP -j FW-OPEN
}

setup_cast() {
    iptables -N FW-CAST
    iptables -A FW-CAST -m pkttype --pkt-type broadcast -j ACCEPT
    iptables -A FW-CAST -m pkttype --pkt-type multicast -j ACCEPT
    iptables -A INPUT -i ${wan} -j FW-CAST
}

main () {
   defaultHooks="set_defaults setup_whitenets setup_nat setup_forward setup_base setup_badips setup_white setup_open setup_scanips setup_cast setup_final"
    hookarray=(${hooks:-$defaultHooks})
    for hook in "${hookarray[@]}" ; do
        $hook
    done
}

main