#!/bin/sh

# Get user id
export USERID=$(id -u)

# Check ROOT Permissions
if [ "$USERID" != 0 ]; then
  echo "请以root用户运行"
  exit 1
fi

# Check linux distribution
# Debian base
if [ -f /etc/debian_version ]; then
  export OS=debian
  export FIREWALL=iptables
  systemctl enable cron
fi

# Redhat base
if [ -f /etc/redhat-release ]; then
  REDHAT_VERSION=$(cat /etc/redhat-release | grep -oE "[0-9.]+")

  case "$REDHAT_VERSION" in
    7.0.1406 | 7.1.1503 | 7.2.1511 | 7.3.1611 | 7.4.1708 | 7.5.1804 | 7.6-1810 | 7.7-1908 | 8.0)
      export OS=redhat7
      export FIREWALL=firewall-cmd
      systemctl enable cron
      ;;
    6.0 | 6.1 | 6.2 | 6.3 | 6.4 | 6.5 | 6.6 | 6.7 | 6.8 | 6.9)
      export OS=redhat6
      export FIREWALL=iptables
      service cron enable
      ;;
  esac

fi

# Other
if [ "$OS" = "" ]; then
  read -p "请手动输入您的发行版所使用的防火墙,目前仅支持iptables和firewall-cmd(iptables/firewall-cmd): " FIREWALL
fi

choose() {
  echo "1.安装"
  echo "2.卸载"
  echo "3.退出"
  read -p "请输入数字: " NUM

  if [ "$NUM" -ne 1 ] && [ "$NUM" -ne 2 ] && [ "$NUM" -ne 3 ]; then
    choose
  fi

}

choose

if [ "$NUM" = 1 ]; then
  if [ "$FIREWALL" = "firewall-cmd" ]; then
    # Check firewall-cmd
    if command -v firewall-cmd >/dev/null 2>&1; then
      FIREWALL_RUNTIME=$(firewall-cmd --state)
      if [ "$FIREWALL_RUNTIME" = "running" ]; then
        export FIREWALLCMD=yes
      else
        read -p "Firewall-cmd已被关闭是否启用?(yes/no): " FIREWALLCMD_START
      fi
        if [ "$FIREWALLCMD_START" = "yes" ]; then
          systemctl start firewalld
          systemctl enable firewalld
        elif [ "$FIREWALLCMD" != "yes" ]; then
          read -p "如不开启Firewall-cmd,是否配置人畜无害的iptables?(yes/no): " IPTABLES_INSTALL
          #read -p "是否配置人畜无害的iptables?(yes/no): " IPTABLES_INSTALL
        fi
    else
      if command -v iptables >/dev/null 2>&1; then
        export IPTABLES_INSTALL=yes
      else
        echo "请安装iptables"
      fi
    fi
    if [ "$OS" = "redhat7" ] && [ "$IPTABLES_INSTALL" = "yes" ]; then
      yum install iptables-services -y
      systemctl start iptables
      systemctl enable iptables
      export IPTABLES=yes
      IPTABLES_WHICH=$(which iptables)
    else
      export FIREWALLCMD=yes
      FIREWALLCMD_WHICH=$(which firewall-cmd)
      #echo "请先在Telegram/Github上联系lrinQVQ"
      #exit 0
    fi
  elif [ "$FIREWALL" = "iptables" ]; then
    # Check iptables
    if ! command -v iptables >/dev/null 2>&1; then
      echo "请安装iptables"
      exit 1
    else
      export IPTABLES=yes
      IPTABLES_WHICH=$(which iptables)
    fi
    if [ "$OS" = "redhat6" ]; then
      if [ -f /etc/init.d/iptables ]; then
        /etc/init.d/iptables start
      else
        yum install iptables-services -y
        /etc/init.d/iptables start
      fi
      export IPTABLES=yes
      IPTABLES_WHICH=$(which iptables)
    fi
  fi

  read -p "Telegram代理使用的端口: " PORT

  # Download
  echo "下载中国大陆IP数据"
  wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' >/tmp/cnip.txt

  # Check download
  if [ ! -f /tmp/cnip.txt ]; then
    echo "下载失败,请检查网络"
  fi

  if [ "$FIREWALLCMD" = "yes" ]; then
  echo "<?xml version=\"1.0\" encoding=\"utf-8\"?>" > /usr/lib/firewalld/services/cnonly.xml
  echo "<service>" >> /usr/lib/firewalld/services/cnonly.xml
  echo "  <short>Proxy CNONLY</short>" >> /usr/lib/firewalld/services/cnonly.xml
  echo "  <description>Proxy China Only.</description>" >> /usr/lib/firewalld/services/cnonly.xml
  echo "  <port protocol=\"tcp\" port=\"$PORT\"/>" >> /usr/lib/firewalld/services/cnonly.xml
  echo "</service>" >> /usr/lib/firewalld/services/cnonly.xml
  $FIREWALLCMD_WHICH --zone=public --add-service=cnonly --permanent
  for IP in `cat /tmp/cnip.txt`; do
  echo "$FIREWALLCMD_WHICH --add-rich-rule 'rule family=\"ipv4\" source address=\"$IP\" service name=\"cnonly\" accept'" >> /tmp/firewall-cmd.sh
  done
  sh /tmp/firewall-cmd.sh
  echo "#!""/bin/sh" > /mnt/china_only
  echo "$FIREWALLCMD_WHICH --reload" >> /mnt/china_only
  echo "wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf(\"%s/%d\\n\", \$4, 32-log(\$5)/log(2)) }' > /tmp/cnip.txt" >> /mnt/china_only
  echo "for IP in \`cat /tmp/cnip.txt\`; do" >>/mnt/china_only
  echo "$FIREWALLCMD_WHICH --add-rich-rule 'rule family=\"ipv4\" source address=\"\$IP\" service name=\"cnonly\" accept' >> /tmp/firewall-cmd.sh" >>/mnt/china_only
  echo "done" >>/mnt/china_only
  echo "sh /tmp/firewall-cmd.sh" >>/mnt/china_only
  elif [ "$IPTABLES" = "yes" ]; then
    # iptables start
    $IPTABLES_WHICH -N CNONLY

    $IPTABLES_WHICH -I INPUT -p TCP --dport $PORT -j CNONLY
    $IPTABLES_WHICH -I INPUT -p UDP --dport $PORT -j CNONLY

    $IPTABLES_WHICH -I CNONLY -p TCP --dport $PORT -j DROP
    $IPTABLES_WHICH -I CNONLY -p UDP --dport $PORT -j DROP

    for IP in $(cat /tmp/cnip.txt); do
      $IPTABLES_WHICH -I CNONLY -s $IP -p TCP --dport $PORT -j ACCEPT
      $IPTABLES_WHICH -I CNONLY -s $IP -p UDP --dport $PORT -j ACCEPT
    done

    echo "#!""/bin/sh" >/mnt/china_only
    echo "wget -q -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf(\"%s/%d\\n\", \$4, 32-log(\$5)/log(2)) }' > /tmp/cnip.txt" >>/mnt/china_only
    echo "$IPTABLES_WHICH -F CNONLY >/dev/null 2>&1" >>/mnt/china_only
    echo "$IPTABLES_WHICH -N CNONLY" >>/mnt/china_only
    echo "$IPTABLES_WHICH -I INPUT -p TCP --dport $PORT -j CNONLY" >>/mnt/china_only
    echo "$IPTABLES_WHICH -I INPUT -p UDP --dport $PORT -j CNONLY" >>/mnt/china_only
    echo "$IPTABLES_WHICH -I CNONLY -p TCP --dport $PORT -j DROP" >>/mnt/china_only
    echo "$IPTABLES_WHICH -I CNONLY -p UDP --dport $PORT -j DROP" >>/mnt/china_only
    echo "for IP in \`cat /tmp/cnip.txt\`; do" >>/mnt/china_only
    echo "$IPTABLES_WHICH -I CNONLY -s \$IP -p TCP --dport $PORT -j ACCEPT" >>/mnt/china_only
    echo "$IPTABLES_WHICH -I CNONLY -s \$IP -p UDP --dport $PORT -j ACCEPT" >>/mnt/china_only
    echo "done" >>/mnt/china_only
  fi

  if [ -f /var/spool/cron/root ]; then
    sed -i '/\/mnt\/china_only/d' /var/spool/cron/root
  elif [ -f /var/spool/cron/crontabs/root ]; then
    sed -i '/\/mnt\/china_only/d' /var/spool/cron/crontabs/root
  fi

  if [ -d /var/spool/cron/crontabs ]; then
    echo "@reboot sh /mnt/china_only >/dev/null 2>&1" >>/var/spool/cron/crontabs/root
    echo "0 0 * * * sh /mnt/china_only >/dev/null 2>&1" >>/var/spool/cron/crontabs/root
  elif [ -d /var/spool/cron ]; then
    echo "@reboot sh /mnt/china_only >/dev/null 2>&1" >>/var/spool/cron/root
    echo "0 0 * * * sh /mnt/china_only >/dev/null 2>&1" >>/var/spool/cron/root
  fi

elif [ "$NUM" = 2 ]; then
  rm -rf /mnt/china_only

  if [ -f /var/spool/cron/root ]; then
    sed -i '/\/mnt\/china_only/d' /var/spool/cron/root
  elif [ -f /var/spool/cron/crontabs/root ]; then
    sed -i '/\/mnt\/china_only/d' /var/spool/cron/crontabs/root
  fi

  if [ "$FIREWALLCMD" = "yes" ]; then
  firewall-cmd --reload
  else
  iptables -F CNONLY
  fi
elif [ "$NUM" = 3 ]; then
  exit 0
fi