# Common code for iptables manipulation

IPTABLE_OPEN_4118_RULE='INPUT -j ACCEPT -m state --state NEW --proto tcp --dport 4118'
declare -r BOOTING_TIME=10

# Check iptables rules if TCP port 4118 is filtered
tcp_port_4118_filtered()
{
   local dpt_4118=$( iptables -nL | grep dpt:4118 )
   test -z "$dpt_4118"
}

# Check if the machine MAY be booting
isBooting()
{
   uptime=$(cat /proc/uptime | awk {'print $1'}); 
   uptime=${uptime%.*};
   if [ $uptime -gt $BOOTING_TIME ]; then
      echo 0 
   else
      logger -t dsa_common "System is booting"
      echo 1
   fi  
}

isIptablesModuleLoaded()
{
   lsmod | grep -e 'ip6\?table_filter' > /dev/null 2>&1
   if [ $? -eq 1 ]; then
      echo 0
   else
      echo 1
   fi
}

# checks if iptables is on for RHEL/Oracle/Cloud/CentOS 6-
isIptablesOn()
{

   rules_input=$( service iptables status INPUT | wc -l )
   rules_output=$( service iptables status OUTPUT | wc -l )
   rules_forward=$( service iptables status FORWARD | wc -l )

   # check there is no rule for all chains
   if [ $rules_input -le 1 ] && [ $rules_output -le 1  ] && [ $rules_forward -le 1 ]; then
      echo 0
   else
      echo 1
   fi
}

# Only use for RHEL/CentOS/Oracel/Cloud7+
isfirewalldActive()
{
   firewalld_loaded=$(systemctl status firewalld | grep -e "Loaded" | awk {'print $2'} | cut -c -6)
   if [ "$firewalld_loaded" == "loaded" ]; then
      firewalld_active=$(systemctl status firewalld | grep -e "Active" | awk {'print $2'} | cut -c -6)
      if [ "$firewalld_active" == "active" ]; then
         echo 1
         return
      fi
   fi
   echo 0 
}

isUFWActive()
{
   ufw=$(sudo ufw status| awk 'NR==1 {print $2}')
   if [ "$ufw" == "active" ]; then
      echo 1;
   else
      echo 0;
    fi
}

# if FireWall is enabled, function echo 1 otherwise 0
checkFirewallEnabled() 
{
   isCentOS=0;
   isRHEL=0;
   isSuSE=0;
   isUbuntu=0;
   isOracle=0;
   isDebian=0;
   isCloud=0;

   ip4fireWallEnabled=0;
   ip6fireWallEnabled=0;

   majorVer=0;
        
   if [ -f /etc/SuSE-release ]; then
      isSuSE=1;
      majorVer=$(cat /etc/SuSE-release | grep -e "VERSION =" | awk {'print $3'});

   elif [ -f /etc/centos-release ] && [ -f /etc/redhat-release ]; then
      isCentOS=1;
      majorVer=$(rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release));

   elif [ -f /etc/oracle-release ] && [ -f /etc/redhat-release ]; then
      isOracle=1;
      majorVer=$(rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides oraclelinux-release));

   elif [ -f /etc/cloudlinux-release ] && [ -f /etc/redhat-release ]; then
      isCloud=1;
      majorVer=$(rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides cloudlinux-release));

   elif [ -f /etc/redhat-release ]; then
      CentOS_tag=$(cat /etc/redhat-release | grep -e "CentOS" | awk {'print $1'} |cut -c -6 ) 
      if [ "$CentOS_tag" == "CentOS" ]; then
         isCentOS=1;
      else
         isRHEL=1;
      fi                
      majorVer=$(rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release));

   elif [ -f /etc/debian_version ] || [ -f /etc/debian_release ]; then
      if [ -f /etc/lsb-release ]; then
             isUbuntu=1;
             majorVer=$(cat /etc/*-release | grep -e "DISTRIB_DESCRIPTION=*" | awk {'print $2'}|cut -f1 -d".");
      else
             isDebian=1
      fi
   fi

   # validate version
   if [[ ! "$majorVer" =~ ^-?[0-9]+[.]?[0-9]*$ ]]; then
      majorVer=0
   fi
   printf -v majorVer_i '%d' "$majorVer" 2>/dev/null
  
   if [ $isSuSE -eq 1 ]; then

      susefw2_active=0
      if [ $majorVer_i -ge 12 ]; then

         susefw2_status=$( /sbin/rcSuSEfirewall2 status | grep -e "Active:" | awk {'print $2'} | cut -c -6 )
         if [ "$susefw2_status" == "active" ]; then
            susefw2_active=1
         fi 

      else
         susefw2_status=$( /sbin/rcSuSEfirewall2 status )
         if [[ $susefw2_status == *?"running" ]]; then
             susefw2_active=1
         fi
      fi

      echo $susefw2_active
      return

   elif [ $isRHEL -eq 1 -o $isCentOS -eq 1 -o $isOracle -eq 1 -o $isCloud -eq 1 ] && [ $majorVer_i -ge 7 ]; then
      #RHEL7+ or CentOS7+ or Oracle 7+ or Cloud 7+
      echo $(isfirewalldActive)
      return

   elif [ $isUbuntu -eq 1 ]; then
      echo $(isUFWActive)
      return

    elif [ $isDebian -eq 1 ]; then
       # debian
       if [  -f /usr/sbin/ufw ]; then
          ufw_status=$(ufw status | awk {'print $2'} | cut -c-6 2>/dev/null)
          if [ "$ufw_status" == "inacti" ]; then
             echo 0
             return
          fi
       fi

       # ufw is active or may not exist
       if [ -f /proc/net/ip_tables_names ]; then
          echo 1;
       else
          echo 0;
       fi
       return
    fi

    # RHEL/CentOS/Cloud/Oracle6- 
    booting=$(isBooting)
    # check if booting
    if [ $booting -eq 1 ]; then
      # iptable service may not be stable yet, check startup configuration 
      ipTables2_ON=$(chkconfig --list iptables| awk {'print $4'} | cut -f2 -d":");
      ipTables3_ON=$(chkconfig --list iptables| awk {'print $5'} | cut -f2 -d":");
      ipTables5_ON=$(chkconfig --list iptables| awk {'print $7'} | cut -f2 -d":");
      if [ "$ipTables2_ON" == "on" ] && [ "$ipTables3_ON" == "on" ] && [ "$ipTables5_ON" == "on" ] ; then
         ip4fireWallEnabled=1;
      fi

      ip6tables2_ON=$(chkconfig --list ip6tables| awk {'print $4'} | cut -f2 -d":");
      ip6tables3_ON=$(chkconfig --list ip6tables| awk {'print $5'} | cut -f2 -d":");
      ip6tables5_ON=$(chkconfig --list ip6tables| awk {'print $7'} | cut -f2 -d":");
      if [ "$ip6tables2_ON" == "on" ] && [ "$ip6tables3_ON" == "on" ] && [ "$ip6tables5_ON" == "on" ] ; then
              ip6fireWallEnabled=1;
      fi

      if [ $ip4fireWallEnabled -eq 1 -o $ip6fireWallEnabled -eq 1 ] ; then
              echo 1
      else
              echo 0
      fi
    
    else
      echo $(isIptablesOn)
    fi
}
