#! /bin/bash

. /usr/src/k_framework/main.sh

# script reconfigures iptables for ES

# ---- VARS -----

VERSION="1.0.1"
SCRIPT_NAME="Reconfigure iptables for ES"

TEST=0   # 1 - do not execute changes

# ---- FUNCTIONS -----

# ---- MAIN -----

k_start
k_config_details


if [ "$TEST" == "1" ]; then
    report "***** TEST MODE ON. Changes will not be applied *****" 8
fi


# get all server's IPs and local IPs
server_ips=$(MYSQL_PWD="$DB_PASSWORD" /usr/bin/mysql -h "$DB_HOST" -u $DB_USERNAME  "$DB_NAME" --silent -e "(SELECT server_ip FROM servers WHERE active = 1 AND server_ip IS NOT NULL AND LENGTH(server_ip) > 6 AND server_ip != '127.0.0.1') UNION (SELECT local_ip FROM servers WHERE active = 1 AND local_ip IS NOT NULL AND LENGTH(local_ip) > 6 AND local_ip != '127.0.0.1');" | grep -v value)

# clean from \n "
server_ips=$(echo $server_ips|tr -d '\n')

# make array out of string
IFS=' ' read -r -a array <<< "$server_ips"

ipstring="127.0.0.1"

# loop for all server IPs, format one string
for index in "${!array[@]}"
do
    server_ip=${array[index]}
    ipstring="$ipstring,$server_ip"
done

report "ES access will be allowed to: $ipstring" 3


# -----------------

# ES iptables clean if necessary (M2/M4)
if iptables -L -n | grep -q M2-ES; then
    iptables -FM2-ES
    LINES=`iptables -LINPUT -n --line-numbers | grep M2-ES | awk '{print $1}'`
    arr=( $LINES )
    for ((i=${#arr[@]}-1; i>=0; i--)); do
        iptables -DINPUT "${arr[$i]}"
    done
    iptables -X M2-ES
fi

# ES iptables clean if necessary (MOR)
if iptables -L -n | grep -q MOR-ES; then
    iptables -FMOR-ES
    LINES=`iptables -LINPUT -n --line-numbers | grep MOR-ES | awk '{print $1}'`
    arr=( $LINES )
    for ((i=${#arr[@]}-1; i>=0; i--)); do
        iptables -DINPUT "${arr[$i]}"
    done
    iptables -X MOR-ES
fi

# ES iptables clean if necessary (new format)
if iptables -L -n | grep -q ES-RULES; then
    iptables -FES-RULES
    LINES=`iptables -LINPUT -n --line-numbers | grep ES-RULES | awk '{print $1}'`
    arr=( $LINES )
    for ((i=${#arr[@]}-1; i>=0; i--)); do
        iptables -DINPUT "${arr[$i]}"
    done
    iptables -X ES-RULES
fi


# ES iptables create new
iptables -N ES-RULES
iptables -A ES-RULES -s $ipstring -j ACCEPT
iptables -A ES-RULES -p tcp -m multiport --dports 9200,9300 -j DROP
iptables -I INPUT -p tcp -m multiport --dports 9200,9300 -j ES-RULES
cp -a /etc/sysconfig/iptables "/etc/sysconfig/iptables.$(date +%F_%R)"
service iptables save > /dev/null 2>&1


k_exit $EXIT_CODE