#!/bin/sh

# Begin /etc/systemd/scripts/iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# add a routing table for traffic from bridge that is not destined
# for a local address
echo 201 bridge.out >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table bridge.out

# blow away any existing rules with iptables-restore
iptables-restore <<RULES
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i bridge -m addrtype ! --dst-type LOCAL -j MARK --set-xmark 0x1/0xffffffff
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:VIC - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j VIC
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j VIC
-A POSTROUTING ! -o bridge -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:VIC - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP

# allow SSH incoming
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# allow pinging of the endpointVM for liveliness checks
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# DHCP traffic
-A INPUT -p udp -m udp --dport 68 -j ACCEPT

# DOCKER API - no TLS
-A INPUT -p tcp -m tcp --dport 2375 -j ACCEPT
# DOCKER API - TLS
-A INPUT -p tcp -m tcp --dport 2376 -j ACCEPT

# vSPC incoming connections - ideally would be -i management but you cannot use
# aliases in iptables and there's no assurance of a separate interface
-A INPUT -p tcp -m tcp --dport 2377 -j ACCEPT

# vicadmin
-A INPUT -p tcp -m tcp --dport 2378 -j ACCEPT

# portlayer port when debug set to expose portlayer API directly
-A INPUT -p tcp -m tcp --dport 2380 -j ACCEPT

# ports 6060-6063 are for per component pprof servers when debug setting allows external access
# vic-init
-A INPUT -p tcp -m tcp --dport 6060 -j ACCEPT
# vicadmin
-A INPUT -p tcp -m tcp --dport 6061 -j ACCEPT
# docker personality
-A INPUT -p tcp -m tcp --dport 6062 -j ACCEPT
# port layer
-A INPUT -p tcp -m tcp --dport 6063 -j ACCEPT

# open DNS ports so containerVMs can do name resolution
-A INPUT -i bridge -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i bridge -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# forward container traffic to the bridge network
-A FORWARD -o bridge -j VIC
-A FORWARD -o bridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A VIC -i bridge -o bridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A VIC -i bridge -o bridge -j REJECT --reject-with icmp-port-unreachable
COMMIT
RULES

# TODO: adjust this rule configuration for TLS and debug configuration
# 2375 should not be open by default with TLS configs
# 6061-6063 should not be open without debug>=2
