#!/bin/bash

# The name of the main external interface.
EX_IF="eth1"

# The name of the VM network bridge interface.
BR_IF="br0"

# The IP ranges to accept unfiltered connections from.
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')


start_firewall() {
  # Disable ICMP redirects.
  # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
  # the sending host that it should forward subsequent packets to that same destination through a different gateway.
  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
  echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"

  # Proxy ARP is required for the VMs to use the network.
  echo 1 >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp"

  # Flush old rules.
  iptables -F
  ip6tables -F
  iptables -t nat -F
  ip6tables -t nat -F
  iptables -t mangle -F
  ip6tables -t mangle -F

  # Delete any custom chains.
  iptables -X
  ip6tables -X
  iptables -t nat -X
  ip6tables -t nat -X
  iptables -t mangle -X
  ip6tables -t mangle -X

  # Drop invalid packets on all interfaces.
  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

  # Drop unroutable IPs on the external interface.
  iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
  ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
  iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
  iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
  iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP

  # Drop the IPs that we've usurped.
  iptables -A FORWARD -o "$EX_IF" -s 216.119.155.56/31 -j DROP
  iptables -A FORWARD -o "$EX_IF" -s 216.119.155.62/31 -j DROP
  iptables -A FORWARD -i "$EX_IF" -d 216.119.155.56/31 -j DROP
  iptables -A FORWARD -i "$EX_IF" -d 216.119.155.62/31 -j DROP

  # Allow all loopback traffic.
  iptables -A INPUT -i lo -j ACCEPT
  ip6tables -A INPUT -i lo -j ACCEPT

  # Allow all traffic from the bridged network.
  iptables -A INPUT -i "$BR_IF" -j ACCEPT
  ip6tables -A INPUT -i "$BR_IF" -j ACCEPT

  # Allow unrestricted access from our IPs.
  for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
    iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
  done
  for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
    ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
  done

  # Allow packets of established connections and those related to them.
  iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

  # Allow pings.
  iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

  # Allow certain types of ICMP informational packets.
  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT

  # Allow SSH.
  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT

  iptables -P INPUT DROP
  ip6tables -P INPUT DROP
  iptables -P FORWARD ACCEPT
  ip6tables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  ip6tables -P OUTPUT ACCEPT
}

stop_firewall() {
  # Set default policies to ACCEPT.
  iptables -P INPUT ACCEPT
  ip6tables -P INPUT ACCEPT
  iptables -P OUTPUT ACCEPT
  ip6tables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  ip6tables -P FORWARD ACCEPT

  # Flush rules.
  iptables -F
  ip6tables -F
  iptables -t nat -F
  ip6tables -t nat -F
  iptables -t mangle -F
  ip6tables -t mangle -F

  # Delete any custom chains.
  iptables -X
  ip6tables -X
  iptables -t nat -X
  ip6tables -t nat -X
  iptables -t mangle -X
  ip6tables -t mangle -X

  # Disable proxy ARP.
  cat /proc/sys/net/ipv4/conf/default/proxy_arp >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp"

  # Reset ICMP redirects.
  cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
  cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
  cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}


case "$1" in
  'start')
      start_firewall
    ;;
  'stop')
      stop_firewall
    ;;
  'restart')
      stop_firewall
      start_firewall
    ;;
  *)
    echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
    ERR=1
    ;;
esac