#!/bin/sh

@%@UCRWARNING=# @%@

#
# Copyright 2007-2022 Univention GmbH
#
# https://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.

@!@
from univention.config_registry.interfaces import Interfaces
if configRegistry.is_true('squid/transparentproxy', False):
	squidport = configRegistry.get('squid/httpport', '3128')
	interfaces = Interfaces(configRegistry)
	local_addresses = [iface.ipv4_address() for _name, iface in interfaces.ipv4_interfaces]

	# allow outgoing traffic coming from proxy server
	print('iptables --wait -t nat -A OUTPUT -p tcp -m owner --uid-owner proxy -m tcp --dport 80 -j ACCEPT')
	print('iptables --wait -t nat -A OUTPUT -p tcp -m owner --uid-owner proxy -m tcp --dport 443 -j ACCEPT')

	# redirect packages forwarded for other clients, but allow access to local addresses
	for port in configRegistry.get('squid/webports', '80 443 21').split(" "):
		for address in local_addresses:
			print('iptables --wait -t nat -A PREROUTING -d %s -p tcp -m tcp --dport %s -j ACCEPT' % (address, port))
		print('iptables --wait -t nat -A PREROUTING -p tcp -m tcp --dport %s -j REDIRECT --to-ports %s' % (port, squidport))
	
	# redirect locally created packages
	for port in configRegistry.get('squid/webports', '80 443 21').split(" "):
		print('iptables --wait -t nat -A OUTPUT -p tcp -m tcp --dport %s -j REDIRECT --to-ports %s' % (port, squidport))
@!@
