#!/bin/sh
#
# /etc/rc.d/rc.firewall
# 2012-08-29
# by Gernot WALZL
#
# Simple firewall script for IPv4 and IPv6.
# It saves/restores all rules to/from a configuration file.


IPTABLESCONF="/etc/iptables.conf"
IP6TABLESCONF="/etc/ip6tables.conf"


SUCCESS="\033[60G[\033[1;32m  OK  \033[0m]"
FAILURE="\033[60G[\033[1;31mFAILED\033[0m]"
WARNING="\033[60G[\033[1;33mWARNING\033[0m]"
if [ -r /etc/init.d/functions ]; then
  . /etc/init.d/functions
  SUCCESS=$(echo_success)
  FAILURE=$(echo_failure)
  WARNING=$(echo_warning)
fi


print_usage () {
  echo "Usage: $0 {start|stop|restart|save}"
}


start_iptables () {
  IPxTABLES="$1"
  IPxTABLESCONF="$2"
  if [ "$IPxTABLES" = "" -o "$IPxTABLESCONF" = "" ]; then
    exit 1
  fi

  echo -n "${IPxTABLES}-restore: "
  if [ -r "$IPxTABLESCONF" ]; then
    ${IPxTABLES}-restore < "$IPxTABLESCONF"
    if [ "$?" -eq 0 ]; then
      echo -e "$SUCCESS"
    else
      echo -e "$FAILURE"
    fi
  else
    echo -n "ERROR: ${IPxTABLESCONF} is not readable. "
    echo -e "$FAILURE"
  fi
}


start () {
  start_iptables iptables "$IPTABLESCONF"
  start_iptables ip6tables "$IP6TABLESCONF"
}


stop_iptables () {
  echo -ne "iptables: \033[1;33mACCEPT\033[0ming everything "
  echo -e "$WARNING"

  # reset the default policies in the filter table
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT

  # reset the default policies in the nat table
  iptables -t nat -P PREROUTING ACCEPT
  iptables -t nat -P POSTROUTING ACCEPT
  iptables -t nat -P OUTPUT ACCEPT

  # reset the default policies in the mangle table
  iptables -t mangle -P PREROUTING ACCEPT
  iptables -t mangle -P INPUT ACCEPT
  iptables -t mangle -P FORWARD ACCEPT
  iptables -t mangle -P OUTPUT ACCEPT
  iptables -t mangle -P POSTROUTING ACCEPT

  # flush all
  iptables -F
  iptables -t nat -F
  iptables -t mangle -F

  # erase all
  iptables -X
  iptables -t nat -X
  iptables -t mangle -X
}


stop_ip6tables () {
  echo -ne "ip6tables: \033[1;33mACCEPT\033[0ming everything "
  echo -e "$WARNING"

  # reset the default policies in the filter table
  ip6tables -P INPUT ACCEPT
  ip6tables -P FORWARD ACCEPT
  ip6tables -P OUTPUT ACCEPT

  # reset the default policies in the mangle table
  ip6tables -t mangle -P PREROUTING ACCEPT
  ip6tables -t mangle -P INPUT ACCEPT
  ip6tables -t mangle -P FORWARD ACCEPT
  ip6tables -t mangle -P OUTPUT ACCEPT
  ip6tables -t mangle -P POSTROUTING ACCEPT

  # flush all
  ip6tables -F
  ip6tables -t mangle -F

  # erase all
  ip6tables -X
  ip6tables -t mangle -X
}


stop () {
  stop_iptables
  stop_ip6tables
}


save_iptables () {
  IPxTABLES="$1"
  IPxTABLESCONF="$2"
  if [ "$IPxTABLES" = "" -o "$IPxTABLESCONF" = "" ]; then
    exit 1
  fi

  echo -n "${IPxTABLES}-save: "
  if [ -f "$IPxTABLESCONF" ]; then
    if [ -w "$IPxTABLESCONF" ]; then
      cp "${IPxTABLESCONF}" "${IPxTABLESCONF}.old"
      ${IPxTABLES}-save > "$IPxTABLESCONF"
      if [ "$?" -eq 0 ]; then
        echo -e "$SUCCESS"
      else
        echo -e "$FAILURE"
      fi
    else
      echo -n "ERROR: ${IPxTABLESCONF} is not writable. "
      echo -e "$FAILURE"
    fi
  else
    ${IPxTABLES}-save > "$IPxTABLESCONF"
    if [ "$?" -eq 0 ]; then
      echo -e "$SUCCESS"
    else
      echo -e "$FAILURE"
    fi
  fi
}


save () {
  save_iptables iptables "$IPTABLESCONF"
  save_iptables ip6tables "$IP6TABLESCONF"
}


case "$1" in
'start')
  start
  ;;
'stop')
  stop
  ;;
'restart')
  stop
  sleep 1
  start
  ;;
'save')
  save
  ;;
*)
  print_usage
  ;;
esac