#!/bin/bash
# info: add firewall blocking rule
# options: IP CHAIN
#
# example: v-add-firewall-ban 37.120.129.20 MAIL
#
# This function adds new blocking rule to system firewall

#----------------------------------------------------------#
#                Variables & Functions                     #
#----------------------------------------------------------#

# Argument definition
ip=$1
chain=$(echo $2 | tr '[:lower:]' '[:upper:]')

# Defining absolute path for iptables and modprobe
iptables="/sbin/iptables"

# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# shellcheck source=/usr/local/hestia/func/firewall.sh
source $HESTIA/func/firewall.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"

#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

check_args '2' "$#" 'IP CHAIN'
is_format_valid 'ip' 'chain'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'

# Perform verification if read-only mode is enabled
check_hestia_demo_mode

#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Self heal iptables links
heal_iptables_links

# Checking server ip
if [ -e "$HESTIA/data/ips/$ip" ] || [ "$ip" = '127.0.0.1' ]; then
	exit
fi

# Checking ip exclusions
excludes="$HESTIA/data/firewall/excludes.conf"
check_excludes=$(grep "^$ip$" $excludes 2> /dev/null)
if [ -n "$check_excludes" ]; then
	exit
fi

# Checking ip in banlist
conf="$HESTIA/data/firewall/banlist.conf"
check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2> /dev/null)
if [ -n "$check_ip" ]; then
	exit
fi

# Adding chain
$BIN/v-add-firewall-chain $chain

# Generating timestamp
time_n_date=$(date +'%T %F')
time=$(echo "$time_n_date" | cut -f 1 -d \ )
date=$(echo "$time_n_date" | cut -f 2 -d \ )

# Adding ip to banlist
echo "IP='$ip' CHAIN='$chain' TIME='$time' DATE='$date'" >> $conf
$iptables -I fail2ban-$chain 1 -s $ip \
	-j REJECT --reject-with icmp-port-unreachable 2> /dev/null

# Changing permissions
chmod 660 $conf

#----------------------------------------------------------#
#                       Hestia                             #
#----------------------------------------------------------#

# Logging
$BIN/v-log-action "system" "Warning" "Firewall" "Banned IP address $ip."
log_event "$OK" "$ARGUMENTS"

exit