#!/bin/sh
%if %%getVar('activer_ad_smb', 'non') == 'oui'
%from IPy import IP, IPSet
%set %%wide = IPSet([IP('0.0.0.0/0.0.0.0')])
%set %%servers = IPSet([IP('{}/{}'.format(ip,ip.ad_servers_netmask)) for ip in %%getVar('ad_servers_ip', [])])
%if %%servers.len() == 0
%set %%servers = %%wide
%else
%set %%servers = %%servers + IPSet([IP(ip) for ip in %%getVar('ad_additional_dc_ip', [])])
%end if
%set %%clients = IPSet([IP('{}/{}'.format(ip,ip.ad_clients_netmask)) for ip in %%getVar('ad_clients_ip', [])])
%if %%clients.len() == 0
%set %%clients = %%wide
%end if
%set %%servers_and_clients = %%clients + %%servers
%set %%ldap_clients = IPSet([IP('{}/{}'.format(ip, ip.ad_ldap_clients_netmask)) for ip in %%getVar('ad_ldap_clients_ip', [])]) + %%servers_and_clients

# Ports accessibles pour les serveurs pairs et les clients :
# 53 (DNS), 5353 (broadcast DNS), 123 (NTP), 88 (Kerberos), 445 (SMB CIFS), 135 (MSRPC), 3268 (Global Catalog), 3269 (Global Catalog), [5722 (Microsoft DFS Replication Service)]

# Ports supplémentaires accessibles pour les clients seulement :
# 464 (kpasswd)

# Accès étendu pour le ldap
# 389 (ldap), 389 (ldap), 636 (ldaps)

%for %%int_idx in %%range(0, %%int(%%nombre_interfaces))
%for %%ip in %%servers_and_clients
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 445 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 135 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp --syn -m multiport --dports 1024:5000 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m multiport --dports 1024:5000 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp --syn -m multiport --dports 49152:65535 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m multiport --dports 49152:65535 -j ACCEPT
%if %%getVar('ad_server_role', 'membre') == 'controleur de domaine'
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 53 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 5353 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 5353 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 88 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 88 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 5722 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 5722 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 3268 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 3269 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
%end if
%end for
%for %%ip in %%clients
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 464 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
%if %%getVar('autoriser_netbios_ports', 'non') == 'oui'
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 137 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 138 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
%end if
%end for
%for %%ip in %%ldap_clients
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 389 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 636 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
%end for
%end for
%end if
