[Unit]
Description=portspoof asyncio honeypot
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/python3 -m portspoof_py \
    -s /etc/portspoof/portspoof_signatures \
    -c /etc/portspoof/portspoof.conf \
    -l /var/log/portspoof/portspoof.jsonl \
    --exclude 22 \
    --admin-port 8080
User=root
TimeoutStopSec=30
KillMode=mixed
# Emergency cleanup if SIGKILL'd before graceful shutdown.
# Must mirror the exact rules added by add_rules() in iptables.py,
# including any --admin-port exempt rule (adjust ports if changed above).
ExecStopPost=/usr/sbin/iptables -t nat -D PREROUTING -p tcp --dport 22   -j RETURN
ExecStopPost=/usr/sbin/iptables -t nat -D PREROUTING -p tcp --dport 8080 -j RETURN
ExecStopPost=/usr/sbin/iptables -t nat -D PREROUTING -p tcp --dport 4444 -j RETURN
ExecStopPost=/usr/sbin/iptables -t nat -D PREROUTING -p tcp -j REDIRECT --to-port 4444
ExecStopPost=/usr/sbin/iptables -t nat -D OUTPUT -p tcp -d 127.0.0.0/8 --dport 22   -j RETURN
ExecStopPost=/usr/sbin/iptables -t nat -D OUTPUT -p tcp -d 127.0.0.0/8 --dport 8080 -j RETURN
ExecStopPost=/usr/sbin/iptables -t nat -D OUTPUT -p tcp -d 127.0.0.0/8 --dport 4444 -j RETURN
ExecStopPost=/usr/sbin/iptables -t nat -D OUTPUT -p tcp -d 127.0.0.0/8 -j REDIRECT --to-port 4444
Restart=on-failure
NoNewPrivileges=yes
ReadWritePaths=/var/log/portspoof

[Install]
WantedBy=multi-user.target