#!/bin/sh
#
# firewall-script.SlackBuild
# 2021-02-23
#

PRGNAM=firewall-script
VERSION=0.2
ARCH=noarch
BUILD=${BUILD:-1}
TAG=${TAG:-scr}

REQUIRES="network-scripts iptables"

MAINTAINER="Gernot Walzl"
EMAIL="gernot.walzl@gmx.at"

DESC="Firewall Script

by $MAINTAINER"

# EOF info


# set initial variables
CWD=$(pwd)
TMP=${TMP:-/tmp}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}

# exit on error
set -e

rm -rf $PKG
mkdir -p $PKG/install
mkdir -p $PKG/etc/rc.d

cp /etc/rc.d/rc.firewall $PKG/etc/rc.d/

cat > $PKG/etc/iptables.conf.new <<EOF
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
-A INPUT -p tcp --dport 22 -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

COMMIT

# If this box is used as a router the following lines are useful.
# The postrouting rule does network address translation (NAT).
# The prerouting rule does port forwarding to the specified destination.
# (It is required to enable IP packet forwarding in the kernel.)
#
#*nat
#:PREROUTING ACCEPT [0:0]
#:POSTROUTING ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
#-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80
#-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j MASQUERADE
#COMMIT
EOF

cat > $PKG/etc/ip6tables.conf.new <<EOF
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmpv6 -j ACCEPT

-A INPUT -p udp -s fe80::/10 --dport 546 -j ACCEPT

-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
-A INPUT -p tcp --dport 22 -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

COMMIT
EOF

chown -R root:root $PKG
chmod 0755 $PKG/etc/rc.d/rc.firewall
chmod 0600 $PKG/etc/iptables.conf.new
chmod 0600 $PKG/etc/ip6tables.conf.new

# add some description to the package
if [ "$DESC" != "" ]; then
  echo "$DESC" | sed 's/^/'$PRGNAM': /g' > $PKG/install/slack-desc
fi

# append dependency information to the package
if [ "$REQUIRES" != "" ]; then
  for REQ in $REQUIRES; do
    echo "$REQ" >> $PKG/install/slack-required
  done
fi

# doinst.sh
cat > $PKG/install/doinst.sh <<EOF
#!/bin/sh

config () {
  NEW="\$1"
  OLD="\$(dirname \$NEW)/\$(basename \$NEW .new)"
  if [ ! -r "\$OLD" ]; then
    mv \$NEW \$OLD
  elif [ "\$(cat \$OLD | md5sum)" = "\$(cat \$NEW | md5sum)" ]; then
    rm \$NEW
  fi
}

config etc/iptables.conf.new
config etc/ip6tables.conf.new
EOF

# build the package
cd $PKG
makepkg -l y -c n \
  $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} \
  || exit 1

# make everything clean
cd $CWD
rm -rf $PKG