#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
#    Copyright (C) 2009 - 2010  Brielle Bruns
#    Copyright (C) 2009 - 2010  The Summit Open Source Development Group
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.


# display_c $COLOR $TEXT BOOL(YN)
# $COLOR being bash colors
# $TEXT being what to output (make sure to put " " around text)
# BOOL being (Y or N) to do newline at end or not
function display_c {
	unset COLOR_CODE TEXT NEWLINE
	DEFAULT_COLOR="\E[39m"
	COLOR_CODE=`pick_color $1`
	TEXT="$2"
	if [ "$3" == "N" ]; then
		NEWLINE="-n"
	fi
	echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR"
}


# display_m $COLOR(IGNORED) $TEXT BOOL(YN)
# Non-color version of display_c
function display_m {
	unset TEXT NEWLINE
	TEXT="$2"
	if [ "$3" == "N" ]; then
		NEWLINE="-n"
	fi
	echo -e $NEWLINE "$TEXT"
}

# pick_color $COLOR
# returns appropriate color codes for use in display_c and such
function pick_color {
	case $1 in
		BLUE) COLOR="\E[34m" ;;
		GREEN) COLOR="\E[32m" ;;
		RED) COLOR="\E[31m" ;;
		YELLOW) COLOR="\E[33m" ;;
		PURPLE) COLOR="\E[35m" ;;
		AQUA) COLOR="\E[36m" ;;
		WHITE) COLOR="\E[1m" ;;
		GREY) COLOR="\E[37m" ;;
		*) COLOR="\E[37m" ;;
	esac
	echo "$COLOR"
}

# reset_color
function reset_color {
	unset NEWLINE
	DEFAULT_COLOR="\E[39m"
	if [ "$1" == "N" ]; then
		NEWLINE="-n"
	fi
	echo $NEWLINE -e "$DEFAULT_COLOR"
}

# iptables_rules_flush (ipv6|ipv4)
# Clear all rules from iptables - be very careful in how this is called as it
# could easily lock out the user from the network.  Best way to be safe, is to
# call iptables_policy_reset first then this function.
function iptables_rules_flush {
	IP_VERSION=$1
	case $IP_VERSION in
		ipv6) VER_IPTABLES=$IP6TABLES ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
		ipv4|*) VER_IPTABLES=$IPTABLES ; TABLE_NAMES=/proc/net/ip_tables_names ;;
	esac
	display_c RED "Flushing ${IP_VERSION} rules..."
	$VER_IPTABLES --flush &>/dev/null
	$VER_IPTABLES -F OUTPUT &>/dev/null
	$VER_IPTABLES -F PREROUTING &>/dev/null
	$VER_IPTABLES -F POSTROUTING &>/dev/null
	for i in `cat $TABLE_NAMES`; do
		$VER_IPTABLES -F -t $i &>/dev/null
	done
	#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
	#	$VER_IPTABLES -F -t nat &>/dev/null
	#fi
	#$VER_IPTABLES -F -t raw &>/dev/null
}

# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
# If no policy given, assume ACCEPT
function iptables_policy_reset {
	IP_VERSION=$1
	SET_POLICY=${2=ACCEPT}
	case $IP_VERSION in
		ipv6) VER_IPTABLES=$IP6TABLES ;;
		ipv4|*) VER_IPTABLES=$IPTABLES ;;
	esac
	display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
	$VER_IPTABLES --policy INPUT $SET_POLICY
	$VER_IPTABLES --policy OUTPUT $SET_POLICY
	$VER_IPTABLES --policy FORWARD $SET_POLICY
}

# show_help
# Show command line options help
function show_help {
	 echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>"
 	 echo -e "\t--help\t\tShows this info"
 	 echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
 	 echo -e "\t--generate-cache\tGenerate cached rule file"
 }
 
 
 
# apply_ipv4_hack $HACKS
function apply_ipv4_hack {
	display_c YELLOW "Applying IPv4 hack/fix:" N
	while [ $# -gt 0 ]; do
		case "$1" in
		NS-IN-DDOS)
			# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
			# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
			display_c PURPLE " ./NS/IN-DDOS-FIX" N
			if `$MODPROBE --quiet $MOD_U32 &>/dev/null`; then
				$IPTABLES -A INPUT -j DROP -p udp --dport 53 -m u32 --u32 \
				"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
			else
				display_c RED "\nError: could not load $MOD_U32 module into the kernel.  Not using fix."
			fi
		;;
		MULTI-NIC-ARP-LOCK)
			# MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
			#						do not actually have the IP in question.  In some (alot in my case),
			#						I have things going through specific wires for a reason.  This fixes
			#						that and makes it behave as expected.
			display_c PURPLE " MULTI-NIC-ARP-LOCK" N
			for i in default all; do
				if [ -w ${PROC_NET_IPV4}/$i/arp_ignore ]; then
					echo "1" > ${PROC_NET_IPV4}/$i/arp_ignore
				else
					display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_ignore"
				fi
				if [ -w ${PROC_NET_IPV4}/$i/arp_announce ]; then
					echo "2" > ${PROC_NET_IPV4}/$i/arp_announce
				else
					display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_announce"
				fi
			done
		;;
		esac
		shift
	done
	echo -en "\n"
}

# write_out_rules(_v6)
function write_out_rules {
	echo "$*" >> "$RULE_CACHE"
}
function write_out_rules_v6 {
	echo "$*" >> "$RULE_CACHE_V6"
}