#!/bin/sh
# For systemd :
#  install : /usr/lib/lsb/install_initd zapret
#  remove : /usr/lib/lsb/remove_initd zapret
### BEGIN INIT INFO
# Provides:		zapret
# Required-Start:	$local_fs $network
# Required-Stop:	$local_fs $network
# Default-Start:	2 3 4 5
# Default-Stop:		0 1 6
### END INIT INFO

# CHOOSE ACTION PERFORMED ON PACKETS: FRAGMENTATION (NFQWS) OR MODIFICATION (TPWS).
ACTION=fragmentation
#ACTION=modification
#ACTION=combined

# CHOSE NETWORK INTERFACE BEHIND NAT
SLAVE_ETH=br0


IPSET_CR=/opt/zapret/ipset/create_ipset.sh
NAME=zapret
DESC=anti-zapret

QNUM=200
TPPORT=1188
ROUTE_TABLE_NUM=100
NFQWS=/opt/zapret/binaries/mips32r1-lsb/nfqws
TPWS=/opt/zapret/binaries/mips32r1-lsb/tpws
TPWS_USER=nobody
#FILL THE ADRESS OF BLACKHOLE PAGE
BLACKHOLE=blackhole.beeline.ru
BLACKHOLE_REG="|0D0A|Location: http://$BLACKHOLE"

PIDFILE=/var/run/$NAME.pid

set -e

case "$1" in
  start)
        if lsmod | grep "iptable_raw " &> /dev/null ;  then
         echo "iptable_raw.ko is already loaded"
        else
         if insmod /lib/modules/$(uname -r)/iptable_raw.ko &> /dev/null; then
          echo "iptable_raw.ko loaded"
         else
          echo "Cannot find iptable_raw.ko kernel module, aborting"
          exit 1
         fi
        fi
	if lsmod | grep "xt_string " &> /dev/null ;  then
         echo "xt_string.ko is already loaded"
        else
         if insmod /lib/modules/$(uname -r)/xt_string.ko &> /dev/null; then
          echo "xt_string.ko loaded"
         else
          echo "Cannot find xt_string.ko kernel module, aborting"
          exit 1
         fi
        fi
        if ($NFQWS 2> /dev/null| grep "wsize") &> /dev/null ; then
         echo "nfqws is installed"
        else
         echo "nfqws is not installed, aborting"
         exit 1
        fi
        if ($TPWS --test 2> /dev/null| grep "maxconn") &> /dev/null ; then
         echo "tpws is installed"
        else
         echo "tpws is not installed, aborting"
         exit 1
        fi
	echo "Restoring ipset"
	#($IPSET_CR)
	if !(ipset list -n zapret > /dev/null) ; then
	 ipset restore -f /opt/zapret/ipset/zapret.ipset
	fi
	if !(ipset list -n zapret6 > /dev/null) ; then
	 ipset restore -f /opt/zapret/ipset/zapret6.ipset
	fi
	echo "Adding iptables rule"
	case "${ACTION}" in
	    fragmentation)
		iptables -t raw -C PREROUTING -p tcp --sport 80 -m string --hex-string "$BLACKHOLE_REG" --algo bm -j DROP --from 40 --to 200 2>/dev/null ||
		 iptables -t raw -I PREROUTING -p tcp --sport 80 -m string --hex-string "$BLACKHOLE_REG" --algo bm -j DROP --from 40 --to 200
		iptables -t raw -C PREROUTING -p tcp --sports 80,443 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
		 iptables -t raw -I PREROUTING -m multiport -p tcp --sports 80,443 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		#iptables -t nat -C PREROUTING -p tcp --dport 443 -m set --match-set zapret dst -j REDIRECT --to-port 8888 2>/dev/null ||
        #         iptables -t nat -I PREROUTING -p tcp --dport 443 -m set --match-set zapret dst -j REDIRECT --to-port 8888
		DAEMON=$NFQWS
		DAEMON_OPTS="--qnum=$QNUM --wsize=5"
		;;
	    modification)
		sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
    if [ -e /proc/net/if_inet6 ] ; then
  	  ! ip -6 route add local default dev lo table 99
		  ! ip -6 rule add from all fwmark 0x9 lookup 99
      ip6tables -t mangle -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret6 dst -j TPROXY --tproxy-mark 0x9/0x9 --on-port $TPPORT --on-ip ::1 2>/dev/null ||
       ip6tables -t mangle -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret6 dst -j TPROXY --tproxy-mark 0x9/0x9 --on-port $TPPORT --on-ip ::1
      ip6tables -t mangle -N DIVERT
      ip6tables -t mangle -C DIVERT -j MARK --set-mark 9 2>/dev/null || ip6tables -t mangle -A DIVERT -j MARK --set-mark 9
      ip6tables -t mangle -C DIVERT -j ACCEPT 2>/dev/null || ip6tables -t mangle -I DIVERT -j ACCEPT
      ip6tables -t mangle -C PREROUTING -p tcp -m socket  -j DIVERT 2>/dev/null || ip6tables -t mangle -I PREROUTING -p tcp -m socket  -j DIVERT
    fi
    iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
     iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
    iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
     iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
		DAEMON=$TPWS
		DAEMON_OPTS="--port=$TPPORT --user=$TPWS_USER  --methodeol"
		;;
    combined)
  sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=1
  if [ -e /proc/net/if_inet6 ] ; then
    ! ip -6 route add local default dev lo table 99
    ! ip -6 rule add from all fwmark 0x9 lookup 99
    ip6tables -t mangle -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret6 dst -j TPROXY --tproxy-mark 0x9/0x9 --on-port $TPPORT --on-ip ::1 2>/dev/null ||
     ip6tables -t mangle -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret6 dst -j TPROXY --tproxy-mark 0x9/0x9 --on-port $TPPORT --on-ip ::1
    ip6tables -t mangle -N DIVERT
    ip6tables -t mangle -C DIVERT -j MARK --set-mark 9 2>/dev/null || ip6tables -t mangle -A DIVERT -j MARK --set-mark 9
    ip6tables -t mangle -C DIVERT -j ACCEPT 2>/dev/null || ip6tables -t mangle -I DIVERT -j ACCEPT
    ip6tables -t mangle -C PREROUTING -p tcp -m socket  -j DIVERT 2>/dev/null || ip6tables -t mangle -I PREROUTING -p tcp -m socket  -j DIVERT
  fi
  iptables -t raw -C PREROUTING -p tcp --sports 443 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null ||
   iptables -t raw -I PREROUTING -m multiport -p tcp --sports 443 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
  iptables -t nat -C PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
   iptables -t nat -I PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
  iptables -t nat -C OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
   iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
  $NFQWS --daemon --qnum=$QNUM --wsize=5
  DAEMON=$TPWS
  DAEMON_OPTS="--port=$TPPORT --user=$TPWS_USER  --methodeol"
  ;;
	esac

	echo -n "Starting $DESC: "
	start-stop-daemon -S -q -p $PIDFILE -b -m -x $DAEMON -- $DAEMON_OPTS
	echo "$NAME."
	;;
  stop)
	echo "Saving ipset"
	ipset save zapret -f /opt/zapret/ipset/zapret.ipset
  if [ -e /proc/net/if_inet6 ] ; then
	   ipset save zapret6 -f /opt/zapret/ipset/zapret6.ipset
  fi
	echo "Deleting iptables rule"

	case "${ACTION}" in
	   fragmentation)
		  iptables -t raw -D PREROUTING -p tcp --sport 80 -m string --hex-string "$BLACKHOLE_REG" --algo bm -j DROP --from 40 --to 200
		  iptables -t raw -D PREROUTING -m multiport -p tcp --sports 80,443 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
		  #iptables -t nat -D PREROUTING -p tcp --dport 443 -m set --match-set zapret dst -j REDIRECT --to-port 8888
		  DAEMON=$NFQWS
		;;
	    modification)
      sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
      ! iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null
      ! iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null
      if [ -e /proc/net/if_inet6 ] ; then
        ! ip6tables -t mangle -D PREROUTING -p tcp -m socket -j DIVERT 2>/dev/null
        ! ip6tables -t mangle -F DIVERT 2>/dev/null
        ! ip6tables -t mangle -X DIVERT 2>/dev/null
        ! ip6tables -t mangle -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret6 dst -j TPROXY --tproxy-mark 0x9/0x9 --on-port $TPPORT --on-ip ::1 2>/dev/null
        ! ip -6 rule del from all fwmark 0x9 2>/dev/null
        ! ip -6 route del local default dev lo table 99 2>/dev/null
      fi
		DAEMON=$TPWS
		;;
    combined)
      sysctl -w net.ipv4.conf.$SLAVE_ETH.route_localnet=0
      ! iptables -t raw -D PREROUTING -m multiport -p tcp --sports 443 --tcp-flags SYN,ACK SYN,ACK -m set --match-set zapret src -j NFQUEUE --queue-num $QNUM --queue-bypass
      ! iptables -t nat -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null
      ! iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null
      if [ -e /proc/net/if_inet6 ] ; then
        ! ip6tables -t mangle -D PREROUTING -p tcp -m socket -j DIVERT 2>/dev/null
        ! ip6tables -t mangle -F DIVERT 2>/dev/null
        ! ip6tables -t mangle -X DIVERT 2>/dev/null
        ! ip6tables -t mangle -D PREROUTING -p tcp --dport 80 -i $SLAVE_ETH -m set --match-set zapret6 dst -j TPROXY --tproxy-mark 0x9/0x9 --on-port $TPPORT --on-ip ::1 2>/dev/null
        ! ip -6 rule del from all fwmark 0x9 2>/dev/null
        ! ip -6 route del local default dev lo table 99 2>/dev/null
      fi
      #ip -6 route flush table 99
      killall nfqws
    DAEMON=$TPWS
  ;;
	esac

	echo -n "Stopping $DESC: "
	start-stop-daemon  -K -q -p $PIDFILE -x $DAEMON
	echo "$NAME."
	;;
  *)
	N=/etc/init.d/$NAME
	echo "Usage: $N {start|stop}" >&2
	exit 1
	;;
esac

exit 0