#!/usr/bin/env bash
#
# given an chain, IP/NM and interface insert that IP as an accept into the
# chain as the next to last rule before global DROP; for instance give
# chain "hosts_allow":
#
# iptables -nL hosts_allow:
#  Chain hosts_allow (1 references)
#  target     prot opt source       destination
#  ACCEPT     all  --  1.2.3.4/28   0.0.0.0/0
#  ACCEPT     all  --  4.3.2.1/26   0.0.0.0/0
#  ACCEPT     all  --  5.6.7.8/27   0.0.0.0/0
#  ACCEPT     all  --  8.7.6.5/24   0.0.0.0/0
#  ACCEPT     all  --  2.4.6.8/24   0.0.0.0/0
#  DROP       all  --  0.0.0.0/0    0.0.0.0/0
#
# example: ./insert_iptable_ip.sh hosts_allow 1.3.5.7/32 eth0
#
# SPDX-License-Identifier: MIT

# shellcheck disable=SC2046
if [ $(id -u) -ne 0 ]; then
  echo "Must be root, exiting."
  exit 1
fi

if [ $# -ne 3 ]; then
  echo "Usage:   $0   "
  echo "Example: $0 hosts_allow 1.3.5.7/32 eth0"
  exit 2
fi

T_CHAIN=$1
T_IP=$2
T_INT=$3

# the chain list has two extra lines, subtract those
C_NUM=$(iptables -nL "${T_CHAIN}" | wc -l)
# shellcheck disable=SC2004
C_NUM=$(($C_NUM-2))

# insert the IP as the last number (iptables is 1-based) which will push
# the final global DROP down one line
iptables -I "${T_CHAIN}" "${C_NUM}" -i "${T_INT}" -s "${T_IP}" -j ACCEPT

exit 0