From 65d2b291cc309ad4584b058b8354fa114ffb00f0 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Tue, 20 Dec 2016 13:56:09 +0100
Subject: [PATCH] Support for set firewall rules

---
 bkctl              | 15 ++++++++++++++-
 tpl/evobackup.conf |  1 +
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/bkctl b/bkctl
index 4963bbc..8acf005 100755
--- a/bkctl
+++ b/bkctl
@@ -282,7 +282,7 @@ get_port() {
 set_port() {
 	jail=$1
 	port=$2
-	if [ $port = "auto" ]; then
+	if [ "$port" = "auto" ]; then
 		port=$(grep -h Port ${JAILDIR}/*/${SSHD_CONFIG} 2>/dev/null | grep -Eo [0-9]+ | sort -n | tail -1)
 	        port=$((port+1))
         	if [ ! $port -gt 1 ]; then
@@ -290,6 +290,7 @@ set_port() {
 	        fi
 	fi
         sed -i "s/^Port .*/Port ${port}/" ${JAILDIR}/$jail/${SSHD_CONFIG}
+	set_firewall $jail
 }
 
 get_key() {
@@ -332,6 +333,18 @@ set_ip() {
 		allow="$allow root@${ip}"
 	done
 	sed -i "s~^AllowUsers .*~${allow}~" ${JAILDIR}/$jail/${SSHD_CONFIG}
+	set_firewall $jail
+}
+
+set_firewall() {
+	jail=$1
+	if [ -f $FIREWALL_RULES ]; then
+		sed -i "/#${jail}$/d" $FIREWALL_RULES
+	fi
+	port=$(get_port $jail)
+	for ip in $(get_ip $jail); do
+		echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport $port -s $ip -j ACCEPT #$jail" >> $FIREWALL_RULES
+	done
 }
 
 main() {
diff --git a/tpl/evobackup.conf b/tpl/evobackup.conf
index 4e54d30..c796329 100644
--- a/tpl/evobackup.conf
+++ b/tpl/evobackup.conf
@@ -10,3 +10,4 @@ MYMAIL='jdoe@example.com'
 SSHD_PID='/var/run/sshd.pid'
 SSHD_CONFIG='/etc/ssh/sshd_config'
 AUTHORIZED_KEYS='/root/.ssh/authorized_keys'
+FIREWALL_RULES='/etc/firewall.rc.jails'