#!/bin/sh
%from IPy import IP, IPSet
%if %%getVar('ad_filter_network', 'non') == 'oui'
%set %%peers = IPSet([IP('{}/{}'.format(ip,ip.ad_peer_netmask)) for ip in %%getVar('ad_peer_ip', [])])
%set %%ldap_clients = IPSet([IP('{}/{}'.format(ip, ip.ad_ldap_clients_netmask)) for ip in %%getVar('ad_ldap_clients_ip', [])]) + %%peers
%else
%set %%peers = IPSet([IP('0.0.0.0/0.0.0.0')])
%set %%ldap_clients = IPSet([IP('0.0.0.0/0.0.0.0')])
%end if
%set %%rpc_port = %%getVar('ad_custom_rpc_port', None)
%set %%rpc_port = %%rpc_port if %%rpc_port else '49152:65535'
%set %%netlogon_port = %%getVar('ad_custom_netlogon_port', None)
%set %%netlogon_port = %%netlogon_port if %%netlogon_port else '49152:65535'

# Ports accessibles pour les serveurs pairs et les clients :
# 53 (DNS), 5353 (broadcast DNS), 123 (NTP), 88 (Kerberos), 445 (SMB CIFS), 135 (MSRPC), 3268 (Global Catalog), 3269 (Global Catalog), [5722 (Microsoft DFS Replication Service)]

# Ports supplémentaires accessibles pour les clients seulement :
# 464 (kpasswd)

# Accès étendu pour le ldap
# 389 (ldap), 389 (ldap), 636 (ldaps)

%for %%int_idx in %%range(0, %%int(%%nombre_interfaces))
%for %%ip in %%peers
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 445 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 135 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp --syn -m multiport --dports %%rpc_port -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m multiport --dports %%rpc_port -j ACCEPT
%if %%rpc_port != %%netlogon_port
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp --syn -m multiport --dports %%netlogon_port -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m multiport --dports %%netlogon_port -j ACCEPT
%end if
%if %%getVar('ad_server_role', 'membre') == 'controleur de domaine'
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 53 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 5353 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 5353 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 88 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 88 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 5722 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 5722 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 3268 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 3269 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
%end if
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 464 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 464 -j ACCEPT
%if %%getVar('autoriser_netbios_ports', 'non') == 'oui'
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 137 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 138 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
%end if
%end for
%for %%ip in %%ldap_clients
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p udp -m udp --dport 389 -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
/sbin/iptables -A eth%%{int_idx}-root -s %%ip -p tcp -m tcp --dport 636 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
%end for
%end for
