#!/bin/bash
### BEGIN INIT INFO
# Provides:          firewall_rules
# Required-Start:    $local_fs $remote_fs $network
# Required-Stop:     $local_fs $remote_fs $network
# Should-Start:      
# Should-Stop:       
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: agadmin firewall rules
### END INIT INFO

ACTION=$1

TLD="cn iq ir kp ru tr tw"

URL="http://www.ipdeny.com/ipblocks/data/countries/"
INPUT="INPUT"
OUTPUT="OUTPUT"
PIDDIR="/var/run"

function block_country_chains {
  if [ "$1" == "STOP" ]; then
    for Z in `iptables -S | grep -E '^-N' | grep ".ct.chain" | awk '{print $2;}'`
    do
      iptables -D $INPUT -j $Z
      iptables -F $Z
      iptables -X $Z
    done
    return
  fi
  cd /tmp
  # chains bilden und in INPUT chain einbinden
  for C in $TLD
  do
    iptables -N $C.ct.chain
    iptables -A $INPUT -j $C.ct.chain
  done

  sleep 10
  for C in $TLD
  do
    wget $URL$C.zone > /dev/null 2>&1
  done
  
  for C in $TLD
  do
    for IP in `cat $C.zone`
    do
      iptables -A $C.ct.chain -s $IP -j DROP > /dev/null 2>&1
    done
  done
}

function services_chain {
  if [ "$1" == "STOP" ]; then
    iptables -D $INPUT -j SERVICES.chain
    iptables -F SERVICES.chain
    iptables -X SERVICES.chain
    return
  fi
  SERVICES="993 995 587 465 25 143 110 443 80 53 389"
  iptables -N SERVICES.chain
  for PORT in $SERVICES; do
    iptables -A SERVICES.chain  -p tcp --dport "$PORT" -j ACCEPT
  done  
  iptables -A SERVICES.chain -p udp --dport 53  -j ACCEPT
  iptables -A $INPUT -j SERVICES.chain
}

function admin_chain {
  if [ "$1" == "STOP" ]; then
    iptables -D $INPUT -j ADMIN.chain
    iptables -F ADMIN.chain
    iptables -X ADMIN.chain
    return
  fi
  iptables -N ADMIN.chain
  iptables -A ADMIN.chain -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A ADMIN.chain -p tcp --dport 22  -j ACCEPT
  iptables -A ADMIN.chain -p udp --dport 161 -j ACCEPT
  iptables -A ADMIN.chain -p tcp --dport 953 -j ACCEPT
  iptables -A ADMIN.chain -d 127.0.0.0/8     -j ACCEPT
  iptables -A ADMIN.chain -s 5.1.84.159      -j ACCEPT
  iptables -A ADMIN.chain -s 5.1.84.160      -j ACCEPT
  iptables -A ADMIN.chain -s 62.113.250.204  -j ACCEPT
  iptables -A ADMIN.chain -p icmp            -j ACCEPT
  iptables -A $INPUT -j ADMIN.chain
}

function imscp_logging_chains {
  if [ "$1" == "STOP" ]; then
    iptables -D $INPUT -j IMSCP_INPUT
    iptables -D $OUTPUT -j IMSCP_OUTPUT
    iptables -F IMSCP_INPUT
    iptables -F IMSCP_OUTPUT
    iptables -X IMSCP_INPUT
    iptables -X IMSCP_OUTPUT
    return
  fi
  SERVICES_IN="80 443 110 143 25 465 587 995 993"
  SERVICES_OUT="25 465 587"
  
  iptables -N IMSCP_INPUT
  iptables -N IMSCP_OUTPUT

  iptables -A $INPUT  -j IMSCP_INPUT
  iptables -A $OUTPUT -j IMSCP_OUTPUT

  for PORT in $SERVICES_IN; do
    iptables -A IMSCP_INPUT  -p tcp --dport "$PORT"
    iptables -A IMSCP_OUTPUT -p tcp --sport "$PORT"
  done
  
  for PORT in $SERVICES_OUT; do
    iptables -A IMSCP_INPUT  -p tcp --sport "$PORT"
    iptables -A IMSCP_OUTPUT -p tcp --dport "$PORT"
  done

  iptables -A IMSCP_INPUT -j RETURN
  iptables -A IMSCP_OUTPUT -j RETURN
}

#####################################################################################################

case  $ACTION  in
  start)
    if [ -f $PIDDIR/firewall.pid ]; then
      echo "Firewall bereits aktiv"
      exit
    fi
    echo "Firewall wird gestartet"
    touch $PIDDIR/firewall.pid
    iptables -P $INPUT DROP
    #imscp_logging_chains START
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    block_country_chains START &
    sleep 5
    services_chain START
    admin_chain START
    ;;
  stop)
    if [ ! -f $PIDDIR/firewall.pid ]; then
      echo "Firewall bereits gestoppt"
      exit
    fi
    echo "Firewall wird gestoppt"
    rm $PIDDIR/firewall.pid
    iptables -P $INPUT ACCEPT
    #imscp_logging_chains STOP
    iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    block_country_chains STOP
    services_chain STOP
    admin_chain STOP
    ;;
  reload|restart)
    if [ -f $PIDDIR/firewall.pid ]; then
      echo "Firewall wird gestoppt"
      rm $PIDDIR/firewall.pid
      iptables -P $INPUT ACCEPT
      #imscp_logging_chains STOP
      iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      block_country_chains STOP
      services_chain STOP
      admin_chain STOP
    else
      echo "Firewall nicht gestartet"
    fi
    echo "Firewall wird gestartet"
    touch $PIDDIR/firewall.pid
    iptables -P $INPUT DROP
    #imscp_logging_chains START
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    block_country_chains START &
    sleep 5
    services_chain START
    admin_chain START
    ;;
  status)
    if [ -f $PIDDIR/firewall.pid ]; then
      echo "Firewall aktiv"
      exit
    fi
    echo "Firewall nicht aktiv"
    ;;
esac