iiab/roles/network/templates/gateway/iiab-gen-iptables

#!/bin/bash -x
source /etc/iiab/iiab.env
{% if is_debuntu %}
IPTABLES=/sbin/iptables
IPTABLES_DATA=/etc/iptables.up.rules
{% else %}
IPTABLES=/usr/sbin/iptables
IPTABLES_DATA=/etc/sysconfig/iptables
{% endif %}
LANIF=$IIAB_LAN_DEVICE
WANIF=$IIAB_WAN_DEVICE
MODE=`grep iiab_network_mode_applied  /etc/iiab/iiab.ini | gawk '{print $3}'`

clear_fw() {
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

# first match wins
# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT

# Always drop rpc
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
# mysql
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# postgre - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# couchdb
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
}

if [  "x$WANIF" == "xnone" ] || [ "$MODE" == 'Appliance' ]; then
    clear_fw
    # save the rule set
	{% if is_debuntu %}
	netfilter-persistent save
	{% else %}
	iptables-save > $IPTABLES_DATA
	{% endif %}
    exit 0
fi
lan=$LANIF
wan=$WANIF

# Good thing we replace this file should be treated like squid below
gw_block_https={{ gw_block_https }}
ssh_port={{ ssh_port }}
gui_wan={{ gui_wan }}
gui_port={{ gui_port }}
iiab_gateway_enabled={{ iiab_gateway_enabled }}
services_externally_visible={{ services_externally_visible }}
calibre_port={{ calibre_port }}
kiwix_port={{ kiwix_port }}
kalite_server_port={{ kalite_server_port }}
kolibri_http_port={{ kolibri_http_port }}
transmission_http_port={{ transmission_http_port }}
transmission_peer_port={{ transmission_peer_port }}
sugarizer_port={{ sugarizer_port }}
block_DNS={{ block_DNS }}
py_captive_portal_enabled={{ py_captive_portal_enabled }}

echo "LAN is $lan and WAN is $wan"
#
# delete all existing rules.
#

/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
clear_fw

# Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i  $lan -j ACCEPT

# Allow mDNS
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT

#when run as gateway
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT

if [ "$gui_wan" == "True" ]; then
    $IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
fi

if [ "$services_externally_visible" == "True" ]; then
    $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
fi

if [ "$iiab_gateway_enabled" == "True" ]; then
    $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
fi

$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT

#Block https traffic except if directed at server
if [  "$gw_block_https" == "True" ]; then
    $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
fi

# Allow outgoing connections from the LAN side.
if ! [ "$py_captive_portal_enabled" == "True" ];then
    $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
fi
# Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
$IPTABLES -A INPUT -i $wan -j DROP

if [ "$block_DNS" == "True" ];then
    $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
    $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
fi

if [ "$py_captive_portal_enabled" == "True" ];then
      $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:{{ py_captive_portal_port }}
fi

if [ "$HTTPCACHE_ON" == "True" ]; then
    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
fi

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# save the whole rule set now
{% if is_debuntu %}
netfilter-persistent save
{% else %}
iptables-save > $IPTABLES_DATA
{% endif %}
exit 0