lfirewall/scripts/setup

###############################################################
# iptables chain names
###############################################################
IT_INPUT=INPUT
IT_INPUT_LOG=LOGINPUT
IT_OUTPUT=OUTPUT
IT_OUTPUT_LOG=LOGOUTPUT
IT_POSTROUTING=POSTROUTING
IT_PREROUTING=PREROUTING

PATH=/bin:/sbin:/usr/bin:/usr/sbin

#Defautl network interface
NETWORK_IF=eth0

# Services that the system will offer to the network
TCP_SERVICES="22" # SSH only
UDP_SERVICES=""
# Services the system will use from the network
REMOTE_TCP_SERVICES="80 443" # web browsing
REMOTE_UDP_SERVICES="53" # DNS

# Port used for the SSH service, define this is you have setup a
# management network but remove it from TCP_SERVICES
SSH_PORT="22"

###############################################################
# Default IP_TABLES command path
###############################################################
IP_TABLES="/sbin/iptables"
IP_TABLES_RESTORE="/sbin/iptables-restore"
IP_TABLES_RESTORE_6="/sbin/ip6tables-restore"
IP_TABLES_SAVE="/sbin/iptables-save"
IP_TABLES_SAVE_6="/sbin/ip6tables-save"

###############################################################
# iptables action definition
###############################################################

# -C
export IPTABLES_CHECK=__iptables_check_action
# -A
export IPTABLES_ADD=__iptable_add_action
# -I
export IPTABLES_INSERT=__iptable_insert_action
# -P
export IPTABLES_SET_POLICY=__iptable_set_policy_action

export IP_TABLES
export NETWORK_IF


###############################################################
# File and folder paths
###############################################################
CONFIGURATION_FILE=${CONFIGURATION_DIR}/lfirewall.conf
CONFIGURATION_LOCAL_FILE=${CONFIGURATION_DIR}/lfirewall.conf.local
USER_RULES_IPTABLES=${CONFIGURATION_DIR}/iptables-user.v4
USER_RULES_IPTABLES_6=${CONFIGURATION_DIR}/iptables-user.v6
POST_UP_DOWN_SCRIPTS_DIR=${CONFIGURATION_DIR}/post-up-down.d
POST_START_STOP_SCRIPTS_DIR=${CONFIGURATION_DIR}/post-start-stop.d


###############################################################

###############################################################
# Firewall log function definition
###############################################################
log_action () {
	echo $*
}

do_not_log_action () {
	return 0
}

###############################################################
# Firewall actions function definition
###############################################################
do_exec () {
	case $1 in
		__iptable_add_action)
			shift
			iptables_option=-A
		;;
		__iptable_insert_action)
			shift
			iptables_option=-I
		;;
		__iptable_set_policy_action)
			shift
			iptables_option=-P
		;;
		*)
			echo "Nothing to be done for $1"
		;;
	esac
	if [ ${verbose} -ge 1 ] ; then
		echo $IP_TABLES $iptables_option $*
	fi
	if ! $IP_TABLES -C $* > /dev/null 2>&1
	then
		$IP_TABLES $iptables_option $*
	fi
}


do_check () {
	local the_action
	the_action=$1
	shift
	case $the_action in
		__iptable_add_action)
			iptables_option=-A
		;;
		__iptable_insert_action)
			iptables_option=-I
		;;
		__iptable_set_policy_action)
			return 0
		;;
		*)
			echo "Nothing to be done for $1"
		;;
	esac
	default_option=-C
	if [ ${verbose} -ge 1 ] ; then
		echo $do_log "$the_action:" $IP_TABLES -C $*
		echo $IP_TABLES -C $*
	fi
	$do_log "$the_action:" $IP_TABLES -C $*
	$IP_TABLES -C $*
	global_status=$((global_status+$?))
}


do_delete () {
	local the_action
	the_action=$1
	shift
	if [ ${verbose} -gt 1 ] ; then
		$do_log "Trying to delete:" $(translate_iptables_rule $IP_TABLES $the_action $*)
	fi
	case $the_action in
		__iptable_add_action)
			iptables_option=-D
		;;
		__iptable_insert_action)
			iptables_option=-D
		;;
		__iptable_set_policy_action)
			CHAIN_NAME="$1"
			$do_log "DELETING: $IP_TABLES -P $CHAIN_NAME DROP"
			$IP_TABLES -P $CHAIN_NAME ACCEPT
			return 0
		;;
		*)
			echo "Nothing to be done for $1"
		;;
	esac


	# Checks the rule then delete it, if it exists
	if $IP_TABLES -C $* > /dev/null 2>&1
	then
		$IP_TABLES $iptables_option $* || echo "DID NOT EXIST: "$IP_TABLES $iptables_option $*
		$do_log "DELETING:" $IP_TABLES $iptables_option $*
	else
		$do_log "NOT EXISTING:" $IP_TABLES $iptables_option $*
	fi
	global_status=$((global_status+$?))
}

###############################################################
# Utility functions definition
###############################################################

has_parent_process(){
	local parent_to_search
	local ppid
	parent_to_search="${1:-}"
	if [ -z "${parent_to_search:-}" ]
	then
		echo "ERROR: need parent process pid as first arg" >&2
		return 5
	fi
	local pid
	pid="${2:-}"
	if [ -z "${pid:-}" ]
	then
		pid=$$
	fi
	if [ $parent_to_search = $pid ]
	then
		echo ${parent_to_search}
		return 0
	else if [ $pid -gt 1 ]
		then
			ppid=$(ps --pid ${pid} -o ppid= | xargs) || echo "OUT OF RANGE PID=${pid}" >&2
			if [ -n "$ppid" ]
			then
				if [ $ppid = $pid ]
				then
					#echo "ERROR: pid=$pid is the same as ppid=$ppid" >&2
					echo -1
				else
					has_parent_process ${parent_to_search} ${ppid}
				fi
			else
				#echo "ERROR: pid='$pid' has ppid='$ppid'" >&2
				echo -2
			fi
		else
			#echo "NOT FOUND: ${parent_to_search}" >&2
			echo 1
		fi
	fi
	return 1
}

find_pid_user_of(){
	local used_file=$1
	local regex="$2"
	lsof ${used_file} | awk 'NR>1 && $1 ~ /'${regex}'/ && !($2 in a){a[$2]++; print $2}'
}

find_systemctl_pids(){
	local shell_pid
	local systemctl_pid
	ps -elf | grep 'systemctl' | grep -v grep | awk '{print $13}' | sort -u | while read term
	do
		#echo ${shell_pid} ${systemctl_pid} >&2
		if [ -z "${shell_pid:-}" ]
		then
			shell_pid=$(find_pid_user_of /dev/$term '.*sh$')
		fi
		if [ -z "${systemctl_pid:-}" ]
		then
			systemctl_pid=$(find_pid_user_of /dev/$term 'systemctl')
		fi
		echo ${shell_pid} ${systemctl_pid}
	done
}