#!/bin/bash
# I, Ian Kelling, follow the GNU license recommendations at
# https://www.gnu.org/licenses/license-recommendations.en.html. They
# recommend that small programs, < 300 lines, be licensed under the
# Apache License 2.0. This file contains or is part of one or more small
# programs. If a small program grows beyond 300 lines, I plan to switch
# its license to GPL.

# Copyright 2024 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR

# This prevents exim from connecting out to an ip not through the vpn.
# Before this, I had set exim to be BindsTo=wg-quick@wgmail, which
# generally made sure it wouldn't run unless the vpn ran, and plus I set
# a specific interface in the main remote smtp transport. However,
# However, that wasn't bulletproof, exim spec says about "interface: The
# first interface of the correct type (IPv4 or IPv6) is used for the
# outgoing connection. If none of them are the correct type, the option
# is ignored." And then I found out that the BindsTo results in exim
# never starting if the vpn fails to start the first time, then starts
# on the systemd automatic restart. Ugh. So, better to use Wants instead
# and this.

if ! /usr/sbin/iptables -C OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT &>/dev/null; then
 /usr/sbin/iptables -I OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT
fi


if ! /usr/sbin/ip6tables -C OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT &>/dev/null; then
 /usr/sbin/ip6tables -I OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT
fi