#!/bin/bash
set -x
if [ -f /etc/iptables/rules.v4 ]; then
    rm /etc/iptables/rules.v4
fi

if [ -f /etc/iptables/rules.v6 ]; then
    rm /etc/iptables/rules.v6
fi

ip6tables -F INPUT
ip6tables -F OUTPUT

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP

iptables -F INPUT
iptables -F OUTPUT

iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -I INPUT -s 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -d 127.0.0.1 -j ACCEPT

iptables -I INPUT -p udp --sport 33434:33524 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -p udp --dport 33434:33524 -m state --state NEW -j ACCEPT
iptables -I INPUT -p icmp --icmp-type 3/3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -p icmp --icmp-type 11 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#udp
iptables -I INPUT -p udp -m multiport --sport 53,67,68,123,50001,50010 -j ACCEPT
iptables -I OUTPUT -p udp -m multiport --dport 53,67,68,123,50001,50010 -j ACCEPT

# 执行默认必备防火墙（由域管客户端dcmc-guard系统进程准备执行默认或场景防火墙前自动追加）
# 默认允许访问域管服务端TCP端口
DEFAULT_ALLOW_ACCESS_TCP_PORT="443"
# 默认允许访问域管服务端域名
# DEFAULT_ALLOW_ACCESS_SERVER_ADDRESS="platform-udcp.uos.icbc"
# 域名会导致执行缓慢，所以现在使用固定ip段
DEFAULT_ALLOW_ACCESS_SERVER_ADDRESS="84.0.0.0/8,76.0.0.0/8,10.0.35.0/24,122.0.0.0/8"

iptables -I INPUT -s 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -d 127.0.0.1 -j ACCEPT

#udp
iptables -I INPUT -p udp -m multiport --sport 53,67,68,123,50001,50010 -j ACCEPT
iptables -I OUTPUT -p udp -m multiport --dport 53,67,68,123,50001,50010 -j ACCEPT
# 使能域管服务端默认允许ping，检测服务端是否在线
# NOTE: 域用户dde-session-shell锁屏登录界面依赖ping机制是否连通服务端逻辑显示用户验证码功能
iptables -I INPUT -s $DEFAULT_ALLOW_ACCESS_SERVER_ADDRESS -p icmp --icmp 0 -j ACCEPT
iptables -I OUTPUT -d $DEFAULT_ALLOW_ACCESS_SERVER_ADDRESS -p icmp --icmp 8 -j ACCEPT

# 设置ip打开对应的端口(这里只保留必备的)
iptables -I INPUT -s $DEFAULT_ALLOW_ACCESS_SERVER_ADDRESS -p tcp -m multiport --source-port $DEFAULT_ALLOW_ACCESS_TCP_PORT -j ACCEPT
iptables -I OUTPUT -d $DEFAULT_ALLOW_ACCESS_SERVER_ADDRESS -p tcp -m multiport --destination-port $DEFAULT_ALLOW_ACCESS_TCP_PORT -j ACCEPT

# 设置11.22.33.44用来实现portal网络认证的功能所需
iptables -I INPUT -s 11.22.33.44 -p tcp -m multiport --source-port 80 -j ACCEPT
iptables -I OUTPUT -d 11.22.33.44 -p tcp -m multiport --destination-port 80 -j ACCEPT

# 固化ipv4防火墙规则配置信息
iptables-save -t filter >/etc/iptables/rules.v4
ip6tables-save -t filter >/etc/iptables/rules.v6
