#!/bin/sh

PUBLIC_IPS="{% if item == 4 %}{{ srv_network_public_firewall_ipv4 | join(' ') }}{% else %}{{ srv_network_public_firewall_ipv6 | join(' ') }}{% endif %}"
PUBLIC_IF="$2"
TCP_PORTS="{{ srv_network.public.firewall.tcp_ports | default([]) | join(' ') }}"
UDP_PORTS="{{ srv_network.public.firewall.udp_ports | default([]) | join(' ') }}"

#####
IPTABLES="/sbin/ip{% if item == 6 %}6{% endif %}tables"
ICMP="icmp{% if item == 6 %}v6{% endif %}"

case "$1" in
  start)
    $IPTABLES -A INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT
    $IPTABLES -A INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT
    for port in $TCP_PORTS; do
      for ip in $PUBLIC_IPS; do
        $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT
      done
    done
    for port in $UDP_PORTS; do
      for ip in $PUBLIC_IPS; do
        $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT
      done
    done
    $IPTABLES -A INPUT -i $PUBLIC_IF -j DROP
  ;;
  stop)
    $IPTABLES -D INPUT -i $PUBLIC_IF -j DROP
    for port in $UDP_PORTS; do
      for ip in $PUBLIC_IPS; do
        $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT
      done
    done
    for port in $TCP_PORTS; do
      for ip in $PUBLIC_IPS; do
        $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT
      done
    done
    $IPTABLES -D INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT
    $IPTABLES -D INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT
  ;;
  *)
    echo "Usage: $0 (start|stop)"
    exit 1
  ;;
esac

exit 0