#!/bin/bash

### BEGIN INIT INFO
# Provides:          dtc-dos-firewall
# Required-Start:    $remote_fs $all
# Required-Stop:     $remote_fs
# Should-Start:      $local_fs
# Should-Stop:       $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: A small anti-DoS firewall script for your web, ftp and mail server
# Description:       If running in a production environment, you might want
#                    to have a basic firewall running on your server to avoid
#                    having DoS attack. This is not the state-of-the-art, but
#                    just another attempt to make things a bit more smooth.
### END INIT INFO

DESC="DTC DoS firewall"   
NAME="dtc-dos-firewall"



. /lib/lsb/init-functions

if [ -r /lib/init/vars.sh ] ; then
	. /lib/init/vars.sh
fi

IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables

if [ -f /etc/dtc/dtc-dos-firewall.conf ] ; then
	. /etc/dtc/dtc-dos-firewall.conf
fi

# General firewall preferences
if [ -z "${GENERAL_FIREWALL_ACTIVATE}" ] ; then
	GENERAL_FIREWALL_ACTIVATE=0
fi
if [ -z "${GENERAL_IN_CHAIN}" ] ; then
	GENERAL_IN_CHAIN="general-in"
fi
if [ -z "${GENERAL_OUT_CHAIN}" ] ; then
	GENERAL_OUT_CHAIN="dtc-general-out"
fi
if [ -z "${GENERAL_FOR_CHAIN}" ] ; then
	GENERAL_FOR_CHAIN="dtc-general-for"
fi
# General ip6 firewall preferences
if [ -z "${GENERAL_IP6_FIREWALL_ACTIVATE}" ] ; then
	GENERAL_IP6_FIREWALL_ACTIVATE=0
fi
if [ -z "${DOS_IP6_IN_CHAIN}" ] ; then
	DOS_IP6_IN_CHAIN="dtc-dos6-in"
fi
if [ -z "${GENERAL_IP6_IN_CHAIN}" ] ; then
	GENERAL_IP6_IN_CHAIN="dtc-general6-in"
fi
if [ -z "${GENERAL_IP6_OUT_CHAIN}" ] ; then
	GENERAL_IP6_OUT_CHAIN="dtc-general6-out"
fi
if [ -z "${GENERAL_IP6_FOR_CHAIN}" ] ; then
	GENERAL_IP6_FOR_CHAIN="dtc-general6-for"
fi

if [ -z "${INTERFACE}" ] ; then
	INTERFACE="eth0"
fi


if ! [ -f /etc/dtc/dos-firewall -a -f /etc/dtc/dos-6firewall -a -f /etc/dtc/general-firewall -a -f /etc/dtc/general6-firewall ] ; then
	exit 0
fi
. /etc/dtc/dos-firewall
. /etc/dtc/dos-6firewall
. /etc/dtc/general-firewall
. /etc/dtc/general6-firewall

# Create a firewall chain
# Params:
# $1: name of the chain
# $2: iptables general chain name
# $3: iptables or ip6tables binary
create-dtc-chain () {
	# Create the chain (if it doesn't exists, then it should be inserted in the INPUT chain)
	CHAINTEST=`LC_ALL=C ${1} -t filter -L -n | grep ${2} | awk '{printf $1}'`
	if [ "${CHAINTEST}" = "${2}Chain" ] ; then
		${1} -F ${2}
	elif [ "${CHAINTEST}" = "Chain" ] ; then
		${1} -I ${3} -j ${2}
		${1} -F ${2}
	else
		${1} --new-chain ${2}
		${1} -I ${3} -j ${2}
	fi
}

# Delete a firewall chain
# Params:
# $1: name of the chain
# $2: iptables general chain name
# $3: iptables or ip6tables binary
delete-dtc-chain () {
	CHAINTEST=`LC_ALL=C ${1} -t filter -L -n | grep ${2} | awk '{printf $1}'`
	if [ "${CHAINTEST}" = "${2}Chain" ] ; then
		${1} -D ${3} -j ${2}
		${1} -F ${2}
		${1} -X ${2}
	elif [ "${CHAINTEST}" = "Chain" ] ; then
		${1} -F ${2}
		${1} -X ${2}
	fi
}


case "${1}" in
start)
	[ "${VERBOSE}" != no ] && log_daemon_msg "Starting ${DESC}"
	[ "${VERBOSE}" != no ] && log_progress_msg "IPv4-anti-dos"
	create-dtc-chain ${IPTABLES} dtc-dos-in INPUT
	accept-localhost-traffic
	limit-ssh-login-rate
	limit-smtp-connection-rate
	limit-http-connection-rate
	limit-ftp-connection-rate
	limit-pop-and-imap-connection-rate
	if [ ${IPV6_ANTI_DOS_ACTIVATE} = 1 ] ; then
		[ "${VERBOSE}" != no ] && log_progress_msg "IPv6-anti-dos"
		create-dtc-chain ${IP6TABLES} ${DOS_IP6_IN_CHAIN} INPUT
		limit-6ssh-login-rate
		limit-6smtp-connection-rate
		limit-6http-connection-rate
		limit-6ftp-connection-rate
		limit-6pop-and-imap-connection-rate
	fi
	if [ ${GENERAL_FIREWALL_ACTIVATE} = 1 ] ; then
		[ "${VERBOSE}" != no ] && log_progress_msg "IPv4-general"
		create-dtc-chain ${IPTABLES} ${GENERAL_IN_CHAIN} INPUT
		create-dtc-chain ${IPTABLES} ${GENERAL_OUT_CHAIN} OUTPUT
		create-dtc-chain ${IPTABLES} ${GENERAL_FOR_CHAIN} FORWARD
		general-in
		general-out
		general-for
	fi
	if [ ${GENERAL_IP6_FIREWALL_ACTIVATE} = 1 ] ; then
		[ "${VERBOSE}" != no ] && log_progress_msg "IPv6-general"
		create-dtc-chain ${IP6TABLES} ${GENERAL_IP6_IN_CHAIN} INPUT
		create-dtc-chain ${IP6TABLES} ${GENERAL_IP6_OUT_CHAIN} OUTPUT
		create-dtc-chain ${IP6TABLES} ${GENERAL_IP6_FOR_CHAIN} FORWARD
		general-6in
		general-6out
		general-6for	
	fi
	[ "${VERBOSE}" != no ] && log_end_msg 0
;;
stop)
	[ "${VERBOSE}" != no ] && log_daemon_msg "Stopping ${DESC}"
	[ "${VERBOSE}" != no ] && log_progress_msg "IPv4-anti-dos"
	delete-dtc-chain ${IPTABLES} dtc-dos-in INPUT
	[ "${VERBOSE}" != no ] && log_progress_msg "IPv6-anti-dos"
	delete-dtc-chain ${IP6TABLES} ${DOS_IP6_IN_CHAIN} INPUT
	[ "${VERBOSE}" != no ] && log_progress_msg "IPv4-general"
	${IPTABLES} -P INPUT ACCEPT
	${IPTABLES} -P OUTPUT ACCEPT
	${IPTABLES} -P FORWARD ACCEPT
	delete-dtc-chain ${IPTABLES} ${GENERAL_IN_CHAIN} INPUT
	delete-dtc-chain ${IPTABLES} ${GENERAL_OUT_CHAIN} OUTPUT
	delete-dtc-chain ${IPTABLES} ${GENERAL_FOR_CHAIN} FORWARD
	[ "${VERBOSE}" != no ] && log_progress_msg "IPv6-general"
	${IP6TABLES} -P INPUT ACCEPT
	${IP6TABLES} -P OUTPUT ACCEPT
	${IP6TABLES} -P FORWARD ACCEPT
	delete-dtc-chain ${IP6TABLES} ${GENERAL_IP6_IN_CHAIN} INPUT
	delete-dtc-chain ${IP6TABLES} ${GENERAL_IP6_OUT_CHAIN} OUTPUT
	delete-dtc-chain ${IP6TABLES} ${GENERAL_IP6_FOR_CHAIN} FORWARD
	[ "${VERBOSE}" != no ] && log_end_msg 0
;;
restart|reload|force-reload)
	${0} stop
	sleep 1
	${0} start
;;
*)
	echo "Usage: ${0} "'{start|stop|restart|reload}'
	exit 1
;;
esac

exit 0
