From a04518171077766a40456b7efc54374e0e8c149a Mon Sep 17 00:00:00 2001
From: DrMaxNix <git@drmaxnix.de>
Date: Sat, 25 May 2024 00:19:25 +0200
Subject: [PATCH] :sparkles: implement missing features

---
 xynat | 79 ++++++++++++++++++++++++++++-------------------------------
 1 file changed, 37 insertions(+), 42 deletions(-)

diff --git a/xynat b/xynat
index c05302c..3af93d6 100755
--- a/xynat
+++ b/xynat
@@ -136,6 +136,16 @@ xynat_ruleset_update_in(){
 	
 	
 	## ADD RULES ##
+	# enforce correct vm address
+	iptables -A "${chain_id}_IN" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
+	
+	# maybe allow host access
+	if [[ "${arg_allow_host_mode:-}" == "in_out" ]]; then
+		iptables -A "${chain_id}_IN" -j RETURN
+	elif [[ "${arg_allow_host_mode:-}" == "in" ]]; then
+		iptables -A "${chain_id}_IN" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+	fi
+	
 	# reject all packets
 	iptables -A "${chain_id}_IN" -j REJECT --reject-with icmp-host-unreachable
 	
@@ -154,8 +164,16 @@ xynat_ruleset_update_out(){
 	
 	
 	## ADD RULES ##
-	# allow icmp messages
-	iptables -A "${chain_id}_OUT" -p icmp -j RETURN
+	# allow related icmp messages
+	iptables -A "${chain_id}_OUT" -p icmp -m conntrack --ctstate RELATED -j RETURN
+	
+	# enforce correct vm address
+	iptables -A "${chain_id}_OUT" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
+	
+	# maybe allow host access
+	if [[ "${arg_allow_host_mode:-}" == "in_out" || "${arg_allow_host_mode:-}" == "in" ]]; then
+		iptables -A "${chain_id}_OUT" -j RETURN
+	fi
 	
 	# reject all other packets
 	iptables -A "${chain_id}_OUT" -j REJECT --reject-with icmp-host-unreachable
@@ -179,12 +197,12 @@ xynat_ruleset_update_fwi(){
 	iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
 	
 	# ignore allowed local addresses
-	for a in ${arg_allow:-""}; do
+	for a in ${arg_allow[*]:-}; do
 		iptables -A "${chain_id}_FWI" -d "$a" -j RETURN
 	done
 	
 	# ignore allowed incomming local addresses
-	for a in ${arg_allow_in:-""}; do
+	for a in ${arg_allow_in[*]:-}; do
 		iptables -A "${chain_id}_FWI" -d "$a" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
 	done
 	
@@ -212,7 +230,7 @@ xynat_ruleset_update_fwo(){
 	iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
 	
 	# ignore allowed local addresses
-	for a in ${arg_allow:-""} ${arg_allow_in:-""}; do
+	for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
 		iptables -A "${chain_id}_FWO" -s "$a" -j RETURN
 	done
 	
@@ -236,11 +254,10 @@ xynat_ruleset_update_ni(){
 	
 	
 	## ADD RULES ##
-	# filter for vm public ip
-	iptables -t nat -A "${chain_id}_NI" ! -d "$arg_public_ip" -j RETURN # TODO
-	
 	# translate destination address (forward to vm)
-	iptables -t nat -A "${chain_id}_NI" -j DNAT --to-destination "$arg_vm_address"
+	if [[ "${arg_public_ip:+x}" ]]; then
+		iptables -t nat -A "${chain_id}_NI" -d "$arg_public_ip" -j DNAT --to-destination "$arg_vm_address"
+	fi
 }
 
 
@@ -257,8 +274,12 @@ xynat_ruleset_update_no(){
 	# filter for vm ip address
 	iptables -t nat -A "${chain_id}_NO" ! -s "$arg_vm_address" -j RETURN
 	
-	# translate source address (forward to internet)
-	iptables -t nat -A "${chain_id}_NO" -j SNAT --to-source "$arg_public_ip" # TODO
+	# translate source address/port (forward to internet)
+	if [[ "${arg_public_ip:+x}" ]]; then
+		iptables -t nat -A "${chain_id}_NO" -j SNAT --to-source "$arg_public_ip"
+	else
+		iptables -t nat -A "${chain_id}_NO" -j MASQUERADE
+	fi
 }
 
 
@@ -300,25 +321,6 @@ xynat_version(){
 
 
 
-#
-# VALIDATOR: `iface`.
-#
-xynat_validate_iface(){
-	## CHECK IF VALID NAME ##
-	local iface_list="$(xynat_iface_list)"
-	local found="no"
-	for i in $iface_list; do
-		if [[ "$i" == "$1" ]]; then
-			found="yes"
-		fi
-	done
-	if [[ "$found" != "yes" ]]; then
-		log_warn "Unknown iface name '$1'"
-	fi
-}
-
-
-
 #
 # VALIDATOR: `vm-address`.
 #
@@ -539,13 +541,14 @@ if [[ -z "${arg_iface:+x}" ]]; then
 	if [[ -z "${IFACE:+x}" ]]; then log_error "Missing required argument 'iface'; See '$0 --help' for usage information"; fi
 	arg_iface="$IFACE"
 fi
-xynat_validate_iface "$arg_iface"
 
 # vm-address
-if [[ -z "${arg_vm_address:+x}" ]]; then
-	log_error "Missing required argument 'vm-address'; See '$0 --help' for usage information"
+if [[ "$arg_mode" != "remove" ]]; then
+	if [[ -z "${arg_vm_address:+x}" ]]; then
+		log_error "Missing required argument 'vm-address'; See '$0 --help' for usage information"
+	fi
+	xynat_validate_vm_address "$arg_vm_address"
 fi
-xynat_validate_vm_address "$arg_vm_address"
 
 # public-ip
 if [[ "${arg_public_ip:+x}" ]]; then
@@ -582,11 +585,3 @@ case "$arg_mode" in
 		log_error "Invalid mode '$arg_mode'"
 	;;
 esac
-
-
-
-
-
-# TODO: Refine icmp filter to only allow related packets
-# TODO: Wire up public-ip being empty (SNAT/DNAT)
-# TODO: Wire up allow-host and allow-host-in