#!/bin/bash

if [ -f "/etc/sshutter.conf" ]; then
	. /etc/sshutter.conf
fi

function log {
	echo "$(date +'%Y-%m-%d %H:%M:%S') $@"
}

if [ "$UID" -ne 0 ]; then
	echo "Error: must be root." 1>&2
	exit 1
fi

while [ true ]; do
	ping -c 3 "$TARGET" 1>/dev/null
	if [ "$?" -eq 0 ]; then
		# Ping successful, apply shutter
		log "[sshutter] Blocking port 22 for IPs outside $WHITELIST"
		nft add table inet filter
		nft add chain inet filter sshutterv4 \{ type filter hook input priority filter \; policy accept \; \}
		nft add rule inet filter sshutterv4 tcp dport "$PORT" ip saddr "$WHITELIST" accept
		nft add rule inet filter sshutterv4 tcp dport "$PORT" drop
	else
		# Ping failed, lift shutter
		log "[sshutter] Releasing port block"
		nft destroy chain inet filter sshutterv4
	fi

	sleep 60
done