description	"zapret"

start on runlevel [2345]
stop on runlevel [!2345]

# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
env ISP=mns
#env ISP=rt
#env ISP=beeline
#env ISP=domru

# CHOSE NETWORK INTERFACE BEHIND NAT
env SLAVE_ETH=eth1


env QNUM=200
env TPPORT=1188
env ROUTE_TABLE_NUM=100
env NFQWS=/opt/zapret/nfq/nfqws
env TPWS=/opt/zapret/tpws/tpws
env TPWS_USER=tpws

pre-start script
	/opt/zapret/ipset/create_ipset.sh

	case "${ISP}" in
	    mns|rt)
		iptables -t raw -C PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass ||
		 iptables -t raw -I PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		;;
	    beeline)
		iptables -t mangle -C POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass ||
		 iptables -t mangle -I POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
		;;
	    domru)
		adduser --disabled-login --no-create-home --system --quiet $TPWS_USER
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
		iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
		 iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
		 iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		;;
	esac
end script

script
	case "${ISP}" in
	    mns)
		NFEXE=$NFQWS
		NFARG="--qnum $QNUM --wsize=4"
		;;
	    rt)
		NFEXE=$NFQWS
		NFARG="--qnum $QNUM --wsize=20"
		;;
	    beeline)
		NFEXE=$NFQWS
		NFARG="--qnum $QNUM --hostcase"
		;;
	    domru)
		NFEXE=$TPWS
		NFARG="--port=$TPPORT --hostcase --split-http-req=host --user=$TPWS_USER --bind-addr=127.0.0.1"
		;;
	esac
	$NFEXE $NFARG
end script

pre-stop script
	case "${ISP}" in
	    mns|rt)
		iptables -t raw -D PREROUTING -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		;;
	    beeline)
		iptables -t mangle -D POSTROUTING -p tcp --dport 80 -m set --match-set zapret dst -j NFQUEUE --queue-num $QNUM --queue-bypass
		;;
	    domru)
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
		iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		;;
	esac
end script