#! /bin/bash -x

BUILTIN_CHAINS="INPUT OUTPUT FORWARD"

cd $(dirname $0);
source core-firewall.sh

BLACKLIST_IPS=""
test -f  /etc/brickwall/blacklist.cfg && BLACKLIST_IPS=$(cat /etc/brickwall/blacklist.cfg)

OPEN_PORTS=""
test -f  /etc/brickwall/ports.cfg && OPEN_PORTS=$(cat /etc/brickwall/ports.cfg)

WHITELIST_IPS=""
test -f  /etc/brickwall/whitelist.cfg && WHITELIST_IPS=$(cat /etc/brickwall/whitelist.cfg)

${IPTCMD} -F
${IPTCMD} -P INPUT DROP
${IPTCMD} -A INPUT -i lo -p all -j ACCEPT
${IPTCMD} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

for port in ${OPEN_PORTS}; do 
	${IPTCMD} -A INPUT -p tcp -m tcp --dport ${port} -j ACCEPT 
done

#${IPTCMD} -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # SSH !
${IPTCMD} -A INPUT -j DROP


## BLOCK blacklisted IPs

for ip in ${BLACKLIST_IPS}; do 
	${IPTCMD} -A INPUT -s ${ip} -j DROP
done

# ALLOW whitelisted IPs

for ip in ${WHITELIST_IPS}; do 
	${IPTCMD} -I INPUT  -p tcp -s ${ip} -j ACCEPT
	${IPTCMD} -I OUTPUT -p tcp -d ${ip} -j ACCEPT
	#TODO: parse IP:port to allow only destination port
	#iptables -I INPUT -p udp -s 10.1.0.0/16 --dport 53 -j ACCEPT
done
