#!/bin/sh
# DO NOT MODIFY THIS FILE. YOUR CHANGES WILL BE OVERWRITTEN WHEN BONDING IS UPGRADED.
# Allow known IPs through firewall.
# © 2012, Multapplied Networks, Inc.

NAME="50_wan_in"
CHAIN="wan_in"
KNOWN_IPS_CHAIN="known_ips"
test -f /etc/default/firewall.d/50_wan_in && . /etc/default/firewall.d/50_wan_in

iptables_4() {
    iptables "$@"
}


iptables_6() {
    ip6tables "$@"
}


iptables_all() {
    iptables "$@"
    ip6tables "$@"
}


start () {
    echo -n " ${NAME}"
    remove 2> /dev/null
    cat <<EOF | iptables-restore --noflush --table filter
*filter
-N $CHAIN
-N $KNOWN_IPS_CHAIN
-A $CHAIN -j $KNOWN_IPS_CHAIN
-A $CHAIN -i eth0 -s 10.207.35.248/29 -m comment --comment "eth0 troubleshooting access" -j ACCEPT
-A $CHAIN -p icmp -j ACCEPT
-A $CHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
-A $CHAIN -j REJECT
-A INPUT ! -i lo -j $CHAIN
COMMIT
EOF
    cat <<EOF | ip6tables-restore --noflush --table filter
*filter
-N $CHAIN
-N $KNOWN_IPS_CHAIN
-A $CHAIN -j $KNOWN_IPS_CHAIN
-A $CHAIN -p icmpv6 -j ACCEPT
-A $CHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
-A $CHAIN -j REJECT
-A INPUT ! -i lo -j $CHAIN
COMMIT
EOF
    if [ -f /etc/firewall.d/known_ips ] ; then
        CHAIN="$KNOWN_IPS_CHAIN" . /etc/firewall.d/known_ips
    fi
}
stop () {
    echo -n " ${NAME}"
    remove
}
remove () {
    iptables_all -D INPUT ! -i lo -j $CHAIN
    iptables_all -F $CHAIN
    iptables_all -F $KNOWN_IPS_CHAIN
    iptables_all -X $CHAIN
    iptables_all -X $KNOWN_IPS_CHAIN

    arptables -F
}
status () {
    iptables_all -L INPUT -nv
    iptables_all -L $CHAIN -nv
}

test -f /lib/lsb/init-functions && . /lib/lsb/init-functions

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart|force-reload)
        stop
        start
        ;;
    status)
        status
        exit 0
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|force-reload|status}"
        exit 1
        ;;
esac
