From b86c430df085f28712d03ea2bd9622e5925fb5c4 Mon Sep 17 00:00:00 2001
From: Sergey Shilov <31342446+sergey-shilov@users.noreply.github.com>
Date: Mon, 15 Jan 2018 21:21:58 +0300
Subject: [PATCH] INDY-1087: re-organise indy iptables scripts for ease of use.
 (#523)

* INDY-1087: re-organise indy iptables scripts for ease of use.

Signed-off-by: Sergey Shilov <sergey.shilov@dsr-company.com>

* Add setup iptables instruction to start-nodes.md

Signed-off-by: Sergey Shilov <sergey.shilov@dsr-company.com>
---
 build-scripts/ubuntu-1604/postinst_node |  4 +--
 docs/start-nodes.md                     | 33 ++++++++++++++++++++++++-
 scripts/setup_indy_node_iptables        | 25 +++++++------------
 scripts/setup_iptables                  | 21 ++++++++++++++++
 setup.py                                |  1 +
 5 files changed, 64 insertions(+), 20 deletions(-)
 create mode 100755 scripts/setup_iptables

diff --git a/build-scripts/ubuntu-1604/postinst_node b/build-scripts/ubuntu-1604/postinst_node
index ab663b839..a06c361c6 100755
--- a/build-scripts/ubuntu-1604/postinst_node
+++ b/build-scripts/ubuntu-1604/postinst_node
@@ -65,15 +65,13 @@ fi
 echo "NODE_NAME=\$1" > $GENERAL_CONFIG_DIR/indy.env
 echo "NODE_PORT=\$2" >> $GENERAL_CONFIG_DIR/indy.env
 echo "NODE_CLIENT_PORT=\$3" >> $GENERAL_CONFIG_DIR/indy.env
+echo "CLIENT_CONNECTIONS_LIMIT=$CLIENT_CONNECTIONS_LIMIT" >> $GENERAL_CONFIG_DIR/indy.env
 
 if [ -z \$4 ]; then
     init_indy_keys --name \$1
 else
     init_indy_keys --name \$1 --seed \$4
 fi
-
-/usr/local/bin/setup_indy_node_iptables \$3 $CLIENT_CONNECTIONS_LIMIT
-
 EOF
 
 chmod +x /usr/local/bin/init_indy_node
diff --git a/docs/start-nodes.md b/docs/start-nodes.md
index 1c0458d79..edb96e607 100644
--- a/docs/start-nodes.md
+++ b/docs/start-nodes.md
@@ -32,6 +32,7 @@ In order to run your own Network, you need to do the following for each Node:
             - The file must be named as `domain_transactions_genesis`
             - The file contains initial NYM transactions (for example, Trustees, Stewards, etc.)
             - File must be located in ```/var/lib/indy/{network_name}``` folder
+    - configure iptables to limit the number of simultaneous clients connections (recommended)
 
 ## Scripts for Initialization
 
@@ -39,13 +40,22 @@ There are a number of scripts which can help in generation of keys and running a
 
 #### Generating keys
 
+###### For deb installation
+The following script should be used to generate both ed25519 and BLS keys for a node named `Alpha` with node port `9701` and client port `9702`
+```
+init_indy_node Alpha 9701 9702 [--seed 111111111111111111111111111Alpha]
+```
+Also this script generates indy-node environment file needed for systemd service config and indy-node iptables setup script.
+
+###### For pip installation
 The following script can generate both ed25519 and BLS keys for a node named `Alpha`
 ```
 init_indy_keys --name Alpha [--seed 111111111111111111111111111Alpha] [--force]
 ```
+
 Note: Seed can be any randomly chosen 32 byte value. It does not have to be in the format 11..<name of the node>
 
-Please not that this script must be called *after* CURRENT_NETWORK is set in config (see above).
+Please note that these scripts must be called *after* CURRENT_NETWORK is set in config (see above).
 
 
 #### Generating keys and test genesis transaction files for a test network
@@ -63,6 +73,27 @@ There is a script that can generate keys and corresponding test genesis files to
  
 We can run the script multiple times for different networks. 
 
+#### Setup iptables (recommended)
+
+###### For deb installation
+To setup the limit of the number of simultaneous clients connections it is enough to run the following script without parameters
+```
+setup_indy_node_iptables
+```
+This script gets client port and recommended connections limit from the indy-node environment file.
+
+NOTE: this script should be called *after* `init_indy_node` script.
+
+###### For pip installation
+The `setup_indy_node_iptables` script can not be used in case of pip installation as indy-node environment file does not exist,
+use the `setup_iptables` script instead (9702 is a client port, 15360 is recommended limit for now)
+```
+setup_iptables 9702 15360
+```
+In fact, the `setup_indy_node_iptables` script is just a wrapper for the `setup_iptables` script.
+
+NOTE: you should be a root to operate with iptables.
+
 #### Running Node
 
 The following script will start a Node process which can communicate with other Nodes and Clients
diff --git a/scripts/setup_indy_node_iptables b/scripts/setup_indy_node_iptables
index 4d9169f6d..500f194ee 100755
--- a/scripts/setup_indy_node_iptables
+++ b/scripts/setup_indy_node_iptables
@@ -1,21 +1,14 @@
 #!/bin/bash
 
-if [ $# -lt 2 ]; then
-    echo ""
-    echo "Usage: $0 client_port connlimit";
-    echo "  client_port - node client port";
-    echo "  connlimit   - clients connections limit";
-    echo ""
-    exit 1;
-fi
+GENERAL_CONFIG_DIR="/etc/indy"
+
+ENVFILE=$GENERAL_CONFIG_DIR/indy.env
 
-# Check whether iptables installed and works
-dpkg -s iptables 2>/dev/null 1>&2 && iptables -L 2>/dev/null 1>&2
-if [ $? -eq 0 ]; then
-    # Add iptables rule to limit the number of simultaneous clients connections
-    iptables -I INPUT -p tcp --syn --dport $1 \\
-        -m connlimit --connlimit-above $2 --connlimit-mask 0 \\
-        -j REJECT --reject-with tcp-reset
+if [ -f $ENVFILE ]; then
+    source $ENVFILE
 else
-    echo "Warning: iptables is not installed or permission denied, clients connections limit is not set."
+    echo "Indy-node environment file does not exist ($ENVFILE), run init_indy_node first."
+    exit 1
 fi
+
+/usr/local/bin/setup_iptables $NODE_CLIENT_PORT $CLIENT_CONNECTIONS_LIMIT
diff --git a/scripts/setup_iptables b/scripts/setup_iptables
new file mode 100755
index 000000000..4d9169f6d
--- /dev/null
+++ b/scripts/setup_iptables
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [ $# -lt 2 ]; then
+    echo ""
+    echo "Usage: $0 client_port connlimit";
+    echo "  client_port - node client port";
+    echo "  connlimit   - clients connections limit";
+    echo ""
+    exit 1;
+fi
+
+# Check whether iptables installed and works
+dpkg -s iptables 2>/dev/null 1>&2 && iptables -L 2>/dev/null 1>&2
+if [ $? -eq 0 ]; then
+    # Add iptables rule to limit the number of simultaneous clients connections
+    iptables -I INPUT -p tcp --syn --dport $1 \\
+        -m connlimit --connlimit-above $2 --connlimit-mask 0 \\
+        -j REJECT --reject-with tcp-reset
+else
+    echo "Warning: iptables is not installed or permission denied, clients connections limit is not set."
+fi
diff --git a/setup.py b/setup.py
index 71c22ac8c..d9cfaae99 100644
--- a/setup.py
+++ b/setup.py
@@ -95,5 +95,6 @@
              'scripts/enable_bls',
              'scripts/create_dirs.sh',
              'scripts/indy_old_cli_export_dids',
+             'scripts/setup_iptables',
              'scripts/setup_indy_node_iptables']
 )