#!/bin/sh
# Allow known IPs through firewall.
# © 2012, Multapplied Networks, Inc.

NAME="50_wan_in"
CHAIN="wan_in"
test -f /etc/default/firewall.d/50_wan_in && . /etc/default/firewall.d/50_wan_in

iptables_4() {
    iptables "$@"
}


iptables_6() {
    ip6tables "$@"
}


iptables_all() {
    iptables "$@"
    ip6tables "$@"
}


start () {
    log_progress_msg $NAME

    remove 2> /dev/null # Remove first to avoid duplicate rules

    iptables_all -N $CHAIN

    test -f /etc/firewall.d/known_ips && . /etc/firewall.d/known_ips

    iptables_4 -A $CHAIN -s 74.121.35.0/25 -j ACCEPT # Technical Support operations
    iptables_4 -A $CHAIN -s 74.121.34.0/26 -j ACCEPT # Technical Support operations
    iptables_4 -A $CHAIN -s 74.121.32.112/28 -j ACCEPT # Technical Support operations
    iptables_4 -A $CHAIN -s 167.114.24.192/27 -j ACCEPT # Technical Support operations
    iptables_4 -A $CHAIN -s 159.2.43.20/32 -j ACCEPT # Technical Support operations
    iptables_6 -A $CHAIN -s 2602:ff93:11ff::/48 -j ACCEPT # Technical Support operations

    iptables_4 -A $CHAIN -p icmp -j ACCEPT
    iptables_6 -A $CHAIN -p icmpv6 -j ACCEPT
    iptables_all -A $CHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables_all -A $CHAIN -j REJECT

    # Firewall stuff coming in any interface besides loopback.
    iptables_all -A INPUT ! -i lo -j $CHAIN
}
stop () {
    log_progress_msg $NAME
    remove
}
remove () {
    iptables_all -D INPUT ! -i lo -j $CHAIN
    iptables_all -F $CHAIN
    iptables_all -X $CHAIN
}
status () {
    iptables_all -L $CHAIN -nv
}

test -f /lib/lsb/init-functions && . /lib/lsb/init-functions

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart|force-reload)
        stop
        start
        ;;
    status)
        status
        exit 0
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|force-reload|status}"
        exit 1
        ;;
esac
