#!/bin/bash
#
# Firewall rules check for vz7 nodes
# Refactored to add logging - BFENG-551

LOGFILE="/var/log/check_fw.log"
TMPFILE=$(mktemp /tmp/check_fw.XXXXXX)

_LOG() {
  echo -e "$(date '+%Y-%m-%d %H:%M:%S')" >> "$LOGFILE"
  echo "$1" | tee -a "$LOGFILE"
}

/sbin/iptables -S | grep -wE 'INPUT|DROP|REJECT' >> "$TMPFILE"

IPT=$(cat "$TMPFILE")
IDRP=$(echo "$IPT" | grep -c 'INPUT DROP')
DRP=$(echo "$IPT" | grep -c DROP)
REJ=$(echo "$IPT" | grep -c REJECT)

if [ "$IDRP" -eq 0 ]; then
  _LOG "check_fw - Iptables firewall has no default DROP policy!"
  cat "$TMPFILE" >> "$LOGFILE"
  rm "$TMPFILE"
  exit 2
elif [ "$DRP" -eq 0 ] && [ "$REJ" -eq 0 ]; then
  _LOG "check_fw - Iptables firewall DROP/REJECT rules are missing!"
  cat "$TMPFILE" >> "$LOGFILE"
  rm "$TMPFILE"
  exit 2
fi

/sbin/iptables -nvL | grep 'Chain' | awk '{print $2}' > "$TMPFILE"
CHAINS=$(cat "$TMPFILE")

for CHAIN in $CHAINS; do
  if [ "$CHAIN" != "FORWARD" ] && [ "${CHAIN:0:6}" != "OUTPUT" ] && [ "${CHAIN:0:4}" != "LOG_" ] && [ "${CHAIN:0:5}" != "SOLUS" ] && [[ ! $CHAIN =~ "LIBVIRT" ]]; then
    CNT=$(expr "$(/sbin/iptables -S "$CHAIN" | wc -l)" '-' 1)
    if [ "$CNT" -eq 0 ]; then
      _LOG "check_fw - Iptables firewall rules are missing!"
      cat "$TMPFILE" >> "$LOGFILE"
      rm "$TMPFILE"
      exit 2
    else
      echo "check_fw - Iptables firewall is OK"
      rm "$TMPFILE"
      exit 0
    fi
  fi
done