#!/bin/bash

if [[ "$2" == "started" ]]; then
	## CONFIG ##
	# libvirt network interface
	libvirt_iface="virbr0"
	
	# list of forbidden subnets
	declare -a forbidden_subnet_list=("0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24" "192.0.2.0/24" "192.88.99.0/24" "192.168.0.0/16" "198.18.0.0/15" "198.51.100.0/24" "203.0.113.0/24" "233.252.0.0/24" "255.255.255.255/32")
	
	
	## MAKE SURE FIREWALL TABLE IS ON TOP ##
	# create firewall table
	iptables -N LIBVIRT_FIREWALL
	
	# delete old references
	iptables -D INPUT -i ${libvirt_iface} -j LIBVIRT_FIREWALL
	iptables -D FORWARD -i ${libvirt_iface} -j LIBVIRT_FIREWALL
	
	# inject new references at top
	iptables -I INPUT 1 -i ${libvirt_iface} -j LIBVIRT_FIREWALL
	iptables -I FORWARD 1 -i ${libvirt_iface} -j LIBVIRT_FIREWALL
	
	
	## APPLY CONFIG ##
	# clear old rules
	iptables -F LIBVIRT_FIREWALL
	
	# add new rules
	for forbidden_subnet in "${forbidden_subnet_list[@]}"; do
		iptables -A LIBVIRT_FIREWALL -d ${forbidden_subnet} -j REJECT --reject-with icmp-host-unreachable
	done
	
	# rule for all other traffic
	iptables -A LIBVIRT_FIREWALL -j RETURN
fi