#!/bin/bash
#
# Script to add /remove IPs to iptables

set -euo pipefail

main() (
  while read -r line; do
    # echo processAction "$(echo "$line" | jq -r '.action')" \
    #   "$(echo "$line" | jq -r .value)" \
    #   "$(echo "$line" | jq -r .duration)" \
    #   "$(echo "$line" | jq -r .scenario)" |
    #   tee bouncer.sh.out
    processAction "$(echo "$line" | jq -r .action)" \
      "$(echo "$line" | jq -r .value)" \
      "$(echo "$line" | jq -r .duration)" \
      "$(echo "$line" | jq -r .scenario)"
  done
  #{"duration":"-1h1m9s","origin":"CAPI","scenario":"crowdsecurity/ssh-bf","scope":"Ip","type":"ban","value":"122.117.32.192","id":22739513,"action":"del"}
)

: "${IPTABLES_CHAIN:=INPUT}"

function processAction() {

  if [[ -n "${IPTABLES_COMMENT}" ]]; then
    comment="-m comment --comment \"$4\""
  else
    comment=""
  fi

  #determine action
  if [ "$1" = "add" ]; then        #add
    if [[ "$2" =~ .*[.].* ]]; then #ipv4
      echo "add $2 for $3 with $4"
      iptablesAdd "$2"
    elif [[ "$2" =~ .*[:].* ]]; then #ipv6
      echo "IPV6 : add $2 for $3 with $4"
      ip6tableAdd "$2"
    fi
  elif [ "$1" = "del" ]; then      #del
    if [[ "$2" =~ .*[.].* ]]; then #ipv4
      echo "del $2 for $3 with $4"
      iptablesDel "$2"
    elif [[ "$2" =~ .*[:].* ]]; then #ipv6
      echo "IPV6 : add $2 for $3 with $4"
      ip6tableDel "$2"
    fi
  else
    echo "unknown action"
  fi
}

function iptablesAdd() (
  #check if the rule already exist
  if ! iptables "$comment" -C "$IPTABLES_CHAIN" -s "$1" -j DROP; then
    #do we insert at a $IPTABLES_INSERT position or append to the chain
    if [[ -z "${IPTABLES_INSERT}" ]]; then
      iptables "$comment" -A "$IPTABLES_CHAIN" -s "$1" -j DROP
    else
      iptables "$comment" -I "$IPTABLES_CHAIN" "$IPTABLES_INSERT" -s "$1" -j DROP
    fi
  fi
)

function ip6tableAdd() (
  #check if the rule already exist
  if ! ip6tables "$comment" -C "$IPTABLES_CHAIN" -s "$1" -j DROP; then
    #do we insert at a $IPTABLES_INSERT position or append to the chain
    if [[ -z "${IPTABLES_INSERT}" ]]; then
      ip6tables "$comment" -A "$IPTABLES_CHAIN" -s "$1" -j DROP
    else
      ip6tables "$comment" -I "$IPTABLES_CHAIN" "$IPTABLES_INSERT" -s "$1" -j DROP
    fi
  fi
)

function iptablesDel() (
  iptables "$comment" -D "$IPTABLES_CHAIN" -s "$1" -j DROP
)

function ip6tableDel() (
  ip6tables "$comment" -D "$IPTABLES_CHAIN" -s "$1" -j DROP
)

main "$@"