#!/bin/sh
# For systemd :
#  install : /usr/lib/lsb/install_initd zapret
#  remove : /usr/lib/lsb/remove_initd zapret
### BEGIN INIT INFO
# Provides:		zapret
# Required-Start:	$local_fs $network
# Required-Stop:	$local_fs $network
# Default-Start:	2 3 4 5
# Default-Stop:		0 1 6
### END INIT INFO

# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
ISP=mns
#ISP=rt
#ISP=beeline
#ISP=domru
#ISP=tiera
#ISP=athome

# If ISP is unlisted then uncomment "custom"
# Find out what works for your ISP and modify "# PLACEHOLDER" parts of this script
#ISP=custom

# CHOSE NETWORK INTERFACE BEHIND NAT
SLAVE_ETH=eth0


IPSET_CR=/opt/zapret/ipset/create_ipset.sh
NAME=zapret
DESC=anti-zapret

QNUM=200
TPPORT=1188
ROUTE_TABLE_NUM=100
NFQWS=/opt/zapret/nfq/nfqws
TPWS=/opt/zapret/tpws/tpws
TPWS_USER=tpws

PIDFILE=/var/run/$NAME.pid

set -e

case "$1" in
  start)
	echo "Creating ipset"
	($IPSET_CR)

	echo "Adding iptables rule"
	case "${ISP}" in
	    mns)
		iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
		 iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		DAEMON=$NFQWS
		DAEMON_OPTS="--qnum=$QNUM --wsize=3"
		;;
	    rt)
		iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
		 iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		DAEMON=$NFQWS
		DAEMON_OPTS="--qnum=$QNUM --wsize=20"
		;;
	    beeline)
		iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
		 iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
		DAEMON=$NFQWS
		DAEMON_OPTS="--qnum=$QNUM --hostspell=HOST"
		;;
	    domru)
		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		# BLOCK SPOOFED DNS FROM DOMRU
		iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300 ||
		 iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300
		iptables -t raw -C PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300 ||
		 iptables -t raw -I PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300
		DAEMON=$TPWS
		DAEMON_OPTS="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
		;;
	    tiera)
		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		DAEMON=$TPWS
		DAEMON_OPTS="--port=$TPPORT --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
		;;
	    athome)
		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		DAEMON=$TPWS
		DAEMON_OPTS="--port=$TPPORT --split-http-req=method --user=$TPWS_USER --bind-addr=127.0.0.1"
		;;
	    custom)
		# PLACEHOLDER
		echo !!! NEED ATTENTION !!!
		echo Select daemon and options that work for you
		echo \(optional\) Prepare environment for running daemon
		echo Configure iptables for required actions
		echo Study how other sections work
		DAEMON=/bin/sleep
		DAEMON_OPTS=20
		;;
	esac

	echo -n "Starting $DESC: "
	start-stop-daemon --start --quiet --pidfile $PIDFILE --background --make-pidfile \
		--exec $DAEMON -- $DAEMON_OPTS
	echo "$NAME."
	;;
  stop)
	echo "Deleting iptables rule"

	case "${ISP}" in
	    mns|rt)
		iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		DAEMON=$NFQWS
		;;
	    beeline)
		iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
		DAEMON=$NFQWS
		;;
	    domru)
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|05030311|" --algo bm -j DROP --from 40 --to 300
		iptables -t raw -D PREROUTING -p udp --sport 53 -m string --hex-string "|2a022698a00200010000000000030017|" --algo bm -j DROP --from 40 --to 300
		DAEMON=$TPWS
		;;
	    tiera|athome)
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		DAEMON=$TPWS
		;;
	    custom)
		# PLACEHOLDER
		echo !!! NEED ATTENTION !!!
		echo Clear firewall rules here. Remove iptables changes made previously.
		echo Select which daemon to stop.
		echo Study how other sections work
		;;
	esac

	echo -n "Stopping $DESC: "
	start-stop-daemon --oknodo --stop --quiet --pidfile $PIDFILE \
		--exec $DAEMON
	echo "$NAME."
	;;
  *)
	N=/etc/init.d/$NAME
	echo "Usage: $N {start|stop}" >&2
	exit 1
	;;
esac

exit 0