#!/bin/sh

$XT_MULTI iptables -w -L -n > /dev/null || exit 1

$XT_MULTI iptables -w2 -L -n > /dev/null || exit 1

echo -n '#foo' | $XT_MULTI iptables-restore -w || exit 1

# table probing

for table in security raw mangle nat filter;do

	$XT_MULTI iptables -w2 -t $table -L -n > /dev/null

done

$XT_MULTI iptables -w2 -p icmp --help | grep -q 'Valid ICMP Types' || exit 1

cat <

*nat

-F

-X

-Z

-N PREROUTING_direct

-I PREROUTING 1 -j PREROUTING_direct

-N PREROUTING_ZONES_SOURCE

-N PREROUTING_ZONES

-I PREROUTING 2 -j PREROUTING_ZONES_SOURCE

-I PREROUTING 3 -j PREROUTING_ZONES

-N POSTROUTING_direct

-I POSTROUTING 1 -j POSTROUTING_direct

-N POSTROUTING_ZONES_SOURCE

-N POSTROUTING_ZONES

-I POSTROUTING 2 -j POSTROUTING_ZONES_SOURCE

-I POSTROUTING 3 -j POSTROUTING_ZONES

-N OUTPUT_direct

-I OUTPUT 1 -j OUTPUT_direct

COMMIT

*mangle

-F

-X

-Z

-N PREROUTING_direct

-I PREROUTING 1 -j PREROUTING_direct

-N PREROUTING_ZONES_SOURCE

-N PREROUTING_ZONES

-I PREROUTING 2 -j PREROUTING_ZONES_SOURCE

-I PREROUTING 3 -j PREROUTING_ZONES

-N POSTROUTING_direct

-I POSTROUTING 1 -j POSTROUTING_direct

-N INPUT_direct

-I INPUT 1 -j INPUT_direct

-N OUTPUT_direct

-I OUTPUT 1 -j OUTPUT_direct

-N FORWARD_direct

-I FORWARD 1 -j FORWARD_direct

COMMIT

*raw

-F

-X

-Z

-N PREROUTING_direct

-I PREROUTING 1 -j PREROUTING_direct

-N PREROUTING_ZONES_SOURCE

-N PREROUTING_ZONES

-I PREROUTING 2 -j PREROUTING_ZONES_SOURCE

-I PREROUTING 3 -j PREROUTING_ZONES

-N OUTPUT_direct

-I OUTPUT 1 -j OUTPUT_direct

COMMIT

*filter

-F

-X

-Z

-N INPUT_direct

-N INPUT_ZONES_SOURCE

-N INPUT_ZONES

-I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-I INPUT 2 -i lo -j ACCEPT

-I INPUT 3 -j INPUT_direct

-I INPUT 4 -j INPUT_ZONES_SOURCE

-I INPUT 5 -j INPUT_ZONES

-I INPUT 6 -m conntrack --ctstate INVALID -j DROP

-I INPUT 7 -j REJECT --reject-with icmp-host-prohibited

-N FORWARD_direct

-N FORWARD_IN_ZONES_SOURCE

-N FORWARD_IN_ZONES

-N FORWARD_OUT_ZONES_SOURCE

-N FORWARD_OUT_ZONES

-I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-I FORWARD 2 -i lo -j ACCEPT

-I FORWARD 3 -j FORWARD_direct

-I FORWARD 4 -j FORWARD_IN_ZONES_SOURCE

-I FORWARD 5 -j FORWARD_IN_ZONES

-I FORWARD 6 -j FORWARD_OUT_ZONES_SOURCE

-I FORWARD 7 -j FORWARD_OUT_ZONES

-I FORWARD 8 -m conntrack --ctstate INVALID -j DROP

-I FORWARD 9 -j REJECT --reject-with icmp-host-prohibited

-N OUTPUT_direct

-I OUTPUT 1 -j OUTPUT_direct

COMMIT

EOF

if [ $? -ne 0 ]; then

	echo "Error during first iptables-restore"

	exit 1

fi

cat <

*raw

-N PRE_public

-N PRE_public_log

-N PRE_public_deny

-N PRE_public_allow

-I PRE_public 1 -j PRE_public_log

-I PRE_public 2 -j PRE_public_deny

-I PRE_public 3 -j PRE_public_allow

-A PREROUTING_ZONES -i + -g PRE_public

COMMIT

*filter

-N IN_public

-N IN_public_log

-N IN_public_deny

-N IN_public_allow

-I IN_public 1 -j IN_public_log

-I IN_public 2 -j IN_public_deny

-I IN_public 3 -j IN_public_allow

-A IN_public_allow -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

-A IN_public_allow -p udp --dport 5353 -d 224.0.0.251 -m conntrack --ctstate NEW -j ACCEPT

-N FWDI_public

-N FWDI_public_log

-N FWDI_public_deny

-N FWDI_public_allow

-I FWDI_public 1 -j FWDI_public_log

-I FWDI_public 2 -j FWDI_public_deny

-I FWDI_public 3 -j FWDI_public_allow

-I IN_public 4 -p icmp -j ACCEPT

-I FWDI_public 4 -p icmp -j ACCEPT

-A INPUT_ZONES -i + -g IN_public

-A FORWARD_IN_ZONES -i + -g FWDI_public

-N FWDO_public

-N FWDO_public_log

-N FWDO_public_deny

-N FWDO_public_allow

-I FWDO_public 1 -j FWDO_public_log

-I FWDO_public 2 -j FWDO_public_deny

-I FWDO_public 3 -j FWDO_public_allow

-A FORWARD_OUT_ZONES -o + -g FWDO_public

COMMIT

*nat

-N PRE_public

-N PRE_public_log

-N PRE_public_deny

-N PRE_public_allow

-I PRE_public 1 -j PRE_public_log

-I PRE_public 2 -j PRE_public_deny

-I PRE_public 3 -j PRE_public_allow

-A PREROUTING_ZONES -i + -g PRE_public

-N POST_public

-N POST_public_log

-N POST_public_deny

-N POST_public_allow

-I POST_public 1 -j POST_public_log

-I POST_public 2 -j POST_public_deny

-I POST_public 3 -j POST_public_allow

-A POSTROUTING_ZONES -o + -g POST_public

COMMIT

*mangle

-N PRE_public

-N PRE_public_log

-N PRE_public_deny

-N PRE_public_allow

-I PRE_public 1 -j PRE_public_log

-I PRE_public 2 -j PRE_public_deny

-I PRE_public 3 -j PRE_public_allow

-A PREROUTING_ZONES -i + -g PRE_public

COMMIT

EOF

if [ $? -ne 0 ]; then

	echo "Error during 2nd iptables-restore"

	exit 1

fi

cat <

*mangle

-P PREROUTING ACCEPT

-P POSTROUTING ACCEPT

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P FORWARD ACCEPT

COMMIT

*raw

-P PREROUTING ACCEPT

-P OUTPUT ACCEPT

COMMIT

*filter

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P FORWARD ACCEPT

COMMIT

EOF

if [ $? -ne 0 ]; then

	echo "Error during 3rd iptables-restore"

	exit 1

fi

cat <

*filter

-I INPUT_ZONES 1 -i enp3s0 -g IN_public

-I FORWARD_IN_ZONES 1 -i enp3s0 -g FWDI_public

-I FORWARD_OUT_ZONES 1 -o enp3s0 -g FWDO_public

COMMIT

*nat

-I PREROUTING_ZONES 1 -i enp3s0 -g PRE_public

-I POSTROUTING_ZONES 1 -o enp3s0 -g POST_public

COMMIT

*mangle

-I PREROUTING_ZONES 1 -i enp3s0 -g PRE_public

COMMIT

*raw

-I PREROUTING_ZONES 1 -i enp3s0 -g PRE_public

COMMIT

EOF

if [ $? -ne 0 ]; then

	echo "Error during 4th iptables-restore"

	exit 1

fi

tmpfile=$(mktemp) || exit 1

for table in nat mangle raw filter;do

	$XT_MULTI iptables-save -t $table | grep -v '^#' >> "$tmpfile"

done

case "$XT_MULTI" in

*xtables-nft-multi)

	# nft-multi displays chain names in different order, work around this for now

	tmpfile2=$(mktemp)

	sort "$tmpfile" > "$tmpfile2"

	sort $(dirname "$0")/dumps/ipt-save-completed.txt > "$tmpfile"

	diff -u $tmpfile $tmpfile2

	RET=$?

	rm -f "$tmpfile2"

	;;

*)

	diff -u $tmpfile  $(dirname "$0")/dumps/ipt-save-completed.txt

	RET=$?

	;;

esac

rm -f "$tmpfile"

exit $RET