description	"zapret"

start on runlevel [2345]
stop on runlevel [!2345]

# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
env ISP=mns
#env ISP=rt
#env ISP=beeline
#env ISP=domru
#env ISP=tiera
#env ISP=athome

# If ISP is unlisted then uncomment "custom"
# Find out what works for your ISP and modify "# PLACEHOLDER" parts of this script
#env ISP=custom

# CHOSE NETWORK INTERFACE BEHIND NAT
env SLAVE_ETH=eth1


env QNUM=200
env TPPORT=1188
env ROUTE_TABLE_NUM=100
env NFQWS=/opt/zapret/nfq/nfqws
env TPWS=/opt/zapret/tpws/tpws
env TPWS_USER=tpws

pre-start script
	/opt/zapret/ipset/create_ipset.sh

	case "${ISP}" in
	    mns|rt)
		iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass ||
		 iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		;;
	    beeline)
		iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass ||
		 iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
		;;
	    domru)
		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		# BLOCK SPOOFED DNS FROM DOMRU
		iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300 ||
		 iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300
		iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300 ||
		 iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300
 		;;
	    tiera|athome)
		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		;;
	    custom)
		# PLACEHOLDER
		echo !!! NEED ATTENTION !!!
		echo \(optional\) Prepare environment for running daemon
		echo Configure iptables for required actions
		echo Study how other sections work
		;;
	esac
end script

script
	case "${ISP}" in
	    mns)
		NFEXE=$NFQWS
		NFARG="--qnum $QNUM --wsize=3"
		;;
	    rt)
		NFEXE=$NFQWS
		NFARG="--qnum $QNUM --wsize=20"
		;;
	    beeline)
		NFEXE=$NFQWS
		NFARG="--qnum $QNUM --hostspell=HOST"
		;;
	    domru)
		NFEXE=$TPWS
		NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
		;;
	    tiera)
		NFEXE=$TPWS
		NFARG="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
		;;
	    athome)
		NFEXE=$TPWS
		NFARG="--port=$TPPORT --split-http-req=method --user=$TPWS_USER --bind-addr=127.0.0.1"
		;;
	    custom)
		# PLACEHOLDER
		echo !!! NEED ATTENTION !!!
		echo Select which daemon and what options work for you
		echo Study how other sections work
		NFEXE=/bin/sleep
		NFARG=20
		;;
	esac
	$NFEXE $NFARG
	[ -n "$NFEXE" ] && $NFEXE $NFARG
end script

pre-stop script
	case "${ISP}" in
	    mns|rt)
		iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		;;
	    beeline)
		iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
		;;
	    domru)
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300
		iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300
		;;
	    tiera|athome)
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		;;
	    custom)
		# PLACEHOLDER
		echo !!! NEED ATTENTION !!!
		echo Clear firewall rules here. Remove iptables changes made previously.
		echo Study how other sections work
		;;
	esac
end script