#!/bin/sh

set -e
set -x

port="$1"
reverseproxy_ip="$2"
integration_ip="$3"

# switch SSH to port $port
sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config

# Install SELinux
yum install -y selinux-policy policycoreutils-python

# Tell SELinux to allow the new port
if grep -q '/$' /proc/1/cgroup; then
  # not in a container
  semanage port -a -t ssh_port_t -p tcp "$port"
else
  # in container; will fail if host does not have SELinux enabled
  if ! semanage port -a -t ssh_port_t -p tcp "$port"; then
    echo "I: can't use SELinux, your host probably does not have it enabled"
  fi
fi

# Restart SSH
systemctl restart sshd

# Clean iptables before adding our rules
systemctl stop iptables || echo "Not Installed"
iptables -F

# Setup port redirect
iptables -t nat -A PREROUTING -d $reverseproxy_ip/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination $integration_ip:22
iptables -t nat -A POSTROUTING -d $integration_ip/32 -p tcp -m tcp --dport 22 -j SNAT --to-source $reverseproxy_ip
sysctl -w net.ipv4.ip_forward=1

# Allow port redirects
iptables -t filter -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -d $integration_ip --dport 22 -j ACCEPT
iptables -t filter -A FORWARD -s $integration_ip -p tcp --sport 22 -j ACCEPT