From 921967d5f94b77e1ffbc307e3fd165272e139f31 Mon Sep 17 00:00:00 2001
From: Conrad Lara - KG6JEI <KG6JEI@amsat.org>
Date: Sat, 16 Jan 2016 19:55:20 -0800
Subject: [PATCH] Revert "bugfix: resolve bad chain ref and port from hotplug
 to a firewall include"

This reverts commit 646702aab92ea75b8be1b11298ac15d261e8ab33.

Needs to be broken up into separate commits and doesn't cleanly fix issue with tunnel firewall
---
 files/etc/local/mesh-firewall/01-tunnels | 84 ++++++++++++++----------
 1 file changed, 50 insertions(+), 34 deletions(-)

diff --git a/files/etc/local/mesh-firewall/01-tunnels b/files/etc/local/mesh-firewall/01-tunnels
index 8af435fc..a9be0754 100755
--- a/files/etc/local/mesh-firewall/01-tunnels
+++ b/files/etc/local/mesh-firewall/01-tunnels
@@ -1,9 +1,11 @@
 #!/bin/sh
 <<'LICENSE'
   Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
-  Copyright (C) 2015 Conrad Lara and Joe Ayers
+  Copyright (C) 2015 Conrad Lara
    See Contributors file for additional contributors
 
+  Copyright (c) 2013 David Rivenburg et al. BroadBand-HamNet
+
   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation version 3 of the License.
@@ -37,38 +39,52 @@ if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then
         exit 0;
 fi
 
-echo "Adding vtun firewall rules..."
-iptables -N zone_vpn_input
-iptables -N zone_vpn_ACCEPT
-iptables -N zone_vpn_DROP
-iptables -N zone_vpn_REJECT
-iptables -N zone_vpn_forward
-iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
-iptables -I delegate_input 3 -i tun+ -j zone_vpn_input
-iptables -I delegate_output 3 -j zone_vpn_ACCEPT
-iptables -A zone_vpn_input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-iptables -A zone_vpn_input -p tcp -m tcp --dport 2222 -j ACCEPT
-iptables -A zone_vpn_input -p tcp -m tcp --dport 8080 -j ACCEPT
-iptables -A zone_vpn_input -p udp -m udp --dport 698 -j ACCEPT
-iptables -A zone_vpn_input -p tcp -m tcp --dport 1978 -j ACCEPT
-iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT
-iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT
-iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
-iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
-iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
-iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
-if [ "$MESHFW_MESHGW" == "1" ] ; then
-	iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT
+# Test for pre-existing firewall rules which use a wildcard and only need setup 1 time for multiple tunnel connections
+if ( $(iptables -L forwarding_vpn | egrep "^Chain forwarding_vpn \(.+ references\)" > /dev/null) ) then
+	rules_exist=1
 else
-	iptables -I zone_vpn_forward -j zone_wan_dest_REJECT
+	rules_exist=0
+fi
+
+# Do nothing on firewall if tunnels already (or still) exist--set up once.
+if [ $rules_exist -eq 0  ] ; then
+	echo "Adding vtun firewall rules..."
+        iptables -N forwarding_vpn
+        iptables -N input_vpn
+        iptables -N zone_vpn
+        iptables -N zone_vpn_ACCEPT
+        iptables -N zone_vpn_DROP
+        iptables -N zone_vpn_REJECT
+        iptables -N zone_vpn_forward
+        iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
+        iptables -I delegate_input 3 -i tun+ -j zone_vpn
+        iptables -I delegate_output 3 -j zone_vpn_ACCEPT
+        iptables -A zone_vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 2222 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 8080 -j ACCEPT
+        iptables -A zone_vpn -p udp -m udp --dport 698 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 1978 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 23 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 9090 -j ACCEPT
+        iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
+        iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
+        iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
+        iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
+	if [ "$MESHFW_MESHGW" -eq 1 ] ; then
+        	iptables -I zone_vpn_forward -j zone_wan_ACCEPT
+	else
+        	iptables -I zone_vpn_forward -j zone_wan_REJECT
+	fi
+        iptables -A zone_vpn -j input_vpn
+        iptables -A zone_vpn -j zone_vpn_ACCEPT
+        iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
+        iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
+        iptables -A zone_vpn_DROP -o tun+ -j DROP
+        iptables -A zone_vpn_DROP -i tun+ -j DROP
+        iptables -A zone_vpn_REJECT -o tun+ -j reject
+        iptables -A zone_vpn_REJECT -i tun+ -j reject
+        iptables -A zone_vpn_forward -j zone_dtdlink_ACCEPT
+        iptables -A zone_vpn_forward -j zone_lan_ACCEPT
+        iptables -A zone_vpn_forward -j zone_wifi_ACCEPT
+        iptables -A zone_vpn_forward -j forwarding_vpn
 fi
-iptables -A zone_vpn_input -j zone_vpn_ACCEPT
-iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
-iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
-iptables -A zone_vpn_DROP -o tun+ -j DROP
-iptables -A zone_vpn_DROP -i tun+ -j DROP
-iptables -A zone_vpn_REJECT -o tun+ -j reject
-iptables -A zone_vpn_REJECT -i tun+ -j reject
-iptables -A zone_vpn_forward -j zone_dtdlink_dest_ACCEPT
-iptables -A zone_vpn_forward -j zone_lan_dest_ACCEPT
-iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT