#!/bin/bash

function log {
	echo "$(date +'%Y-%m-%d %H:%M:%S') $@"
}

# Include config file if present
if [ -f "/etc/sshutter.conf" ]; then
	. /etc/sshutter.conf
fi

# Check if args are given
if [ "$WHITELIST" -eq "" ] || [ "$PORT" -eq "" ] || [ "$TARGET" -eq "" ]; then
	echo "Error: you need to specify WHITELIST, PORT and TARGET, either in /etc/sshutter.conf or through environment variables." 1>&2
	exit 1
fi

# Check if permissions are high enough
if [ "$UID" -ne 0 ]; then
	echo "Error: must be root." 1>&2
	exit 1
fi

# Main loop
while [ true ]; do
	ping -c 3 "$TARGET" 1>/dev/null
	if [ "$?" -eq 0 ]; then
		# Ping successful, apply shutter
		log "[sshutter] Blocking port 22 for IPs outside $WHITELIST"
		nft add table inet filter
		nft add chain inet filter sshutterv4 \{ type filter hook input priority filter \; policy accept \; \}
		nft add rule inet filter sshutterv4 tcp dport "$PORT" ip saddr "$WHITELIST" accept
		nft add rule inet filter sshutterv4 tcp dport "$PORT" drop
	else
		# Ping failed, lift shutter
		log "[sshutter] Releasing port block"
		nft destroy chain inet filter sshutterv4
	fi

	sleep 60
done