scripts/manager.sh

#!/bin/bash
# firewall_manager.sh - Manajemen firewall rules terpadu dengan iptables, ufw, dan firewalld
#
# Fitur:
#   - Validasi input yang lebih kompleks untuk aturan
#   - Logging setiap aksi ke /var/log/firewall_manager.log
#   - Integrasi dengan firewalld (jika aktif) secara langsung
#
# Usage:
#   sudo ./firewall_manager.sh {start|stop|status|list|add-rule|del-rule|backup|restore}
#
# Contoh:
#   sudo ./firewall_manager.sh start
#   sudo ./firewall_manager.sh add-rule udp 1000:2000 9999

set -euo pipefail
LOG_FILE="/var/log/firewall_manager.log"

# === Fungsi Logging ===
log_msg() {
    local level="$1"
    shift
    local message="$*"
    local timestamp
    timestamp=$(date +'%Y-%m-%d %H:%M:%S')
    echo "${timestamp} [${level}] ${message}" | tee -a "${LOG_FILE}"
}

# === Fungsi Validasi ===
validate_protocol() {
    local protocol="$1"
    if [[ "$protocol" != "udp" && "$protocol" != "tcp" ]]; then
        log_msg "ERROR" "Protocol harus 'udp' atau 'tcp'. Diberikan: ${protocol}"
        exit 1
    fi
}

validate_port_range() {
    local port_range="$1"
    if ! [[ "$port_range" =~ ^[0-9]{1,5}(:[0-9]{1,5})?$ ]]; then
        log_msg "ERROR" "Format port range tidak valid: ${port_range}"
        exit 1
    fi
}

validate_port() {
    local port="$1"
    if ! [[ "$port" =~ ^[0-9]{1,5}$ ]]; then
        log_msg "ERROR" "Format port tidak valid: ${port}"
        exit 1
    fi
    if (( port < 1 || port > 65535 )); then
        log_msg "ERROR" "Port harus berada di antara 1 dan 65535: ${port}"
        exit 1
    fi
}

# === Fungsi Helper ===
usage() {
    cat << EOF
Usage: $0 {start|stop|status|list|add-rule|del-rule|backup|restore}

Commands:
  start      : Enable IP forwarding dan pasang aturan default.
               (Default: UDP CUSTOM (1:5999->3671) dan ZIVPN (6000:19999->5667) + aturan ufw dan firewalld jika aktif)
  stop       : Flush aturan NAT dan disable IP forwarding.
  status     : Tampilkan status IP forwarding dan aturan firewall saat ini.
  list       : List aturan iptables (tabel NAT) dan status ufw.
  add-rule   : Tambah aturan kustom.
               Sintaks: $0 add-rule <protocol> <port_range> <destination_port>
               Contoh: $0 add-rule udp 1000:2000 9999
  del-rule   : Hapus aturan kustom.
               Sintaks: $0 del-rule <chain> <protocol> <port_range> <destination_port>
               Contoh: $0 del-rule PREROUTING udp 1000:2000 9999
  backup     : Backup aturan iptables NAT ke file backup.
  restore    : Restore aturan iptables NAT dari file backup.

EOF
    exit 1
}

check_root() {
    if [ "$EUID" -ne 0 ]; then
        echo "Jalankan script ini sebagai root." >&2
        exit 1
    fi
}

enable_ip_forwarding() {
    log_msg "INFO" "Mengaktifkan IP forwarding"
    sysctl -w net.ipv4.ip_forward=1 >/dev/null
}

disable_ip_forwarding() {
    log_msg "INFO" "Menonaktifkan IP forwarding"
    sysctl -w net.ipv4.ip_forward=0 >/dev/null
}

get_default_interface() {
    local iface
    iface=$(ip route | awk '/default/ {print $5; exit}')
    echo "$iface"
}

is_firewalld_active() {
    if systemctl is-active --quiet firewalld; then
        return 0
    else
        return 1
    fi
}

# === Integrasi Firewalld ===
apply_firewalld_rule() {
    local action="$1"  # add or remove
    local rule="$2"
    # Contoh penggunaan:
    # firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ${interface} -p udp --dport 1:7299 -j DNAT --to-destination :3671
    firewall-cmd --permanent --direct --"${action}"-rule ipv4 nat PREROUTING 0 ${rule}
}

reload_firewalld() {
    firewall-cmd --reload
}

# === Fungsi Aturan Default ===
apply_default_rules() {
    local interface
    interface=$(get_default_interface)
    if [[ -z "$interface" ]]; then
        log_msg "ERROR" "Interface default tidak ditemukan."
        exit 1
    fi
    log_msg "INFO" "Menggunakan interface: ${interface}"

    ./port-forward.sh

    # Udp Custom: izinkan port untuk Udp Custom
    ufw allow 1:5999/udp && ufw allow 3671/udp
    log_msg "INFO" "Aturan UFW diterapkan untuk port 1:5999/udp dan 3671/udp"

    # UFW: izinkan port untuk ZIVPN
    ufw allow 6000:19999/udp && ufw allow 5667/udp
    log_msg "INFO" "Aturan UFW diterapkan untuk port 6000:19999/udp dan 5667/udp"

    # Integrasi firewalld jika aktif
    if is_firewalld_active; then
        log_msg "INFO" "firewalld terdeteksi. Menerapkan aturan ke firewalld..."
        # Aturan untuk UDP CUSTOM
        apply_firewalld_rule "add" "-i ${interface} -p udp --dport 1:7299 -j DNAT --to-destination :3671"
        # Aturan untuk ZIVPN
        apply_firewalld_rule "add" "-i ${interface} -p udp --dport 6000:19999 -j DNAT --to-destination :5667"
        reload_firewalld
        log_msg "INFO" "Aturan firewalld diterapkan dan reload"
    fi

    log_msg "INFO" "Aturan default berhasil diterapkan."
}

flush_firewall_rules() {
    log_msg "INFO" "Menghapus semua aturan di NAT table iptables..."
    iptables -t nat -F
    log_msg "INFO" "Aturan NAT table iptables telah dihapus."

    # Integrasi firewalld: Hapus aturan default jika firewalld aktif
    if is_firewalld_active; then
        local interface
        interface=$(get_default_interface)
        log_msg "INFO" "Menghapus aturan firewalld..."
        apply_firewalld_rule "remove" "-i ${interface} -p udp --dport 1:7299 -j DNAT --to-destination :3671"
        apply_firewalld_rule "remove" "-i ${interface} -p udp --dport 6000:19999 -j DNAT --to-destination :5667"
        reload_firewalld
        log_msg "INFO" "Aturan firewalld default dihapus."
    fi
}

list_firewall_rules() {
    echo "Aturan iptables (NAT table):"
    iptables -t nat -L -n -v
    echo
    echo "Status UFW:"
    ufw status verbose
}

backup_firewall_rules() {
    local backup_file="/root/iptables_nat_backup_$(date +%F).txt"
    iptables-save -t nat > "${backup_file}"
    log_msg "INFO" "Backup aturan NAT table iptables telah disimpan ke ${backup_file}"
}

restore_firewall_rules() {
    local backup_file="/root/iptables_nat_backup_$(date +%F).txt"
    if [ ! -f "${backup_file}" ]; then
        log_msg "ERROR" "File backup ${backup_file} tidak ditemukan."
        exit 1
    fi
    iptables-restore < "${backup_file}"
    log_msg "INFO" "Aturan NAT table iptables direstore dari ${backup_file}"
}

add_custom_rule() {
    # Ekspektasi: protocol, port_range, destination_port
    if [ $# -ne 3 ]; then
        echo "Usage: $0 add-rule <protocol> <port_range> <destination_port>"
        exit 1
    fi
    local protocol="$1"
    local port_range="$2"
    local dest_port="$3"

    validate_protocol "${protocol}"
    validate_port_range "${port_range}"
    validate_port "${dest_port}"

    local interface
    interface=$(get_default_interface)
    if [[ -z "$interface" ]]; then
        log_msg "ERROR" "Interface default tidak ditemukan."
        exit 1
    fi

    iptables -t nat -A PREROUTING -i "${interface}" -p "${protocol}" --dport "${port_range}" -j DNAT --to-destination :${dest_port}
    log_msg "INFO" "Aturan kustom iptables ditambahkan: ${protocol} ${port_range} -> ${dest_port} pada interface ${interface}"

    # Integrasi firewalld jika aktif
    if is_firewalld_active; then
        apply_firewalld_rule "add" "-i ${interface} -p ${protocol} --dport ${port_range} -j DNAT --to-destination :${dest_port}"
        reload_firewalld
        log_msg "INFO" "Aturan kustom firewalld ditambahkan: ${protocol} ${port_range} -> ${dest_port}"
    fi
}

delete_custom_rule() {
    # Ekspektasi: chain, protocol, port_range, destination_port
    if [ $# -ne 4 ]; then
        echo "Usage: $0 del-rule <chain> <protocol> <port_range> <destination_port>"
        exit 1
    fi
    local chain="$1"
    local protocol="$2"
    local port_range="$3"
    local dest_port="$4"

    validate_protocol "${protocol}"
    validate_port_range "${port_range}"
    validate_port "${dest_port}"

    local interface
    interface=$(get_default_interface)
    if [[ -z "$interface" ]]; then
        log_msg "ERROR" "Interface default tidak ditemukan."
        exit 1
    fi

    iptables -t nat -D "${chain}" -i "${interface}" -p "${protocol}" --dport "${port_range}" -j DNAT --to-destination :${dest_port}
    log_msg "INFO" "Aturan kustom iptables dihapus: ${chain} ${protocol} ${port_range} -> ${dest_port}"

    # Integrasi firewalld jika aktif
    if is_firewalld_active; then
        apply_firewalld_rule "remove" "-i ${interface} -p ${protocol} --dport ${port_range} -j DNAT --to-destination :${dest_port}"
        reload_firewalld
        log_msg "INFO" "Aturan kustom firewalld dihapus: ${chain} ${protocol} ${port_range} -> ${dest_port}"
    fi
}

# === Main Program ===
check_root

if [ $# -eq 0 ]; then
    usage
fi

COMMAND=$1
shift

case "${COMMAND}" in
    start)
        enable_ip_forwarding
        apply_default_rules
        ;;
    stop)
        flush_firewall_rules
        disable_ip_forwarding
        ;;
    status)
        echo "Status IP forwarding:"
        sysctl net.ipv4.ip_forward
        echo
        list_firewall_rules
        ;;
    list)
        list_firewall_rules
        ;;
    add-rule)
        add_custom_rule "$@"
        ;;
    del-rule)
        delete_custom_rule "$@"
        ;;
    backup)
        backup_firewall_rules
        ;;
    restore)
        restore_firewall_rules
        ;;
    *)
        usage
        ;;
esac