#!/bin/bash
#Version 0.1.1
export PATH="/bin:/sbin/:/usr/bin:/usr/sbin"

#Copyright 2001 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#Format=ascii|html-pre-bare|html-pre-full-page	#html-table-full-page|html-table-bare later

#FIXME - Load settings from the command line or $QUERY_STRING

#Hard code here for testing.
Format=html-pre-full-page
#FIXME - when no fields to submit, it appears QUERY_STRING is blank.

lc () {
	echo "$*" | tr A-Z a-z
}

uc () {
	echo "$*" | tr a-z A-Z
}

ClearOptions () {
	unset SourceAddress SourcePort DestinationAddress DestinationPort Protocol
}

ParseOption () {
	ONEVAL=${1##*=}
	case $1 in
		SourceAddress=*)	SourceAddress=$ONEVAL		;;
		SourcePort=*)		SourcePort=$ONEVAL		;;
		DestinationAddress=*)	DestinationAddress=$ONEVAL	;;
		DestinationPort=*)	DestinationPort=$ONEVAL		;;
		Protocol=*)		Protocol=$ONEVAL		;;
	esac
}

GenericHeader () {
	case $Format in
	html-pre-full-page)
		cat <<EOTEXT
Content-type: text/html

<html>
<head>
<title>Firewall blocking rules</title>
</head>
<body>
EOTEXT
#		echo \<pre\> ; set | egrep -i '(Source|Destination|Protocol)' ; echo \</pre\>
		;;
	esac
	case $Format in
	html-pre-*)
		echo '<pre>'
		;;
	esac
}

GenericFooter () {
	case $Format in
	html-pre-*)
		echo '</pre>'
		;;
	esac
	case $Format in
	html-pre-full-page)
		cat <<EOTEXT

<p>Please enter the IP and/or port(s) you wish to block.  Any of the
following may be left blank; blank addresses will be treated as
"Any address" and blank ports will be treated as "Any port".</p>

<form method="query" action="http://127.0.0.1/cgi-bin/blockrules">
<table>
<tr><td>Source Address<br>Examples: somehost, somehost.somedomain.com, 1.2.3.4</td>
	<td><INPUT TYPE=text NAME="SourceAddress" SIZE="60"></td></tr>
<tr><td>Source Port<br>Examples: 12, 1024:65535</td>
	<td><INPUT TYPE=text NAME="SourcePort" SIZE="11"></td></tr>
<tr><td>Destination Address<br>(Same format as Source Address)</td>
	<td><INPUT TYPE=text NAME="DestinationAddress" SIZE="60"></td></tr>
<tr><td>Destination Port<br>(Same format as Source Port)</td>
	<td><INPUT TYPE=text NAME="DestinationPort" SIZE="11"></td></tr>

<tr><td>Protocol</td>	<td>
	<INPUT TYPE=radio NAME="Protocol" VALUE="tcp"> tcp
	<INPUT TYPE=radio NAME="Protocol" VALUE="udp"> udp
		</td></tr>

<tr><td></td>	<td></td></tr>
</table>
<INPUT TYPE=submit VALUE="Show block rules">
<INPUT TYPE=reset VALUE="Clear">
</form>


<p>Created by the blockrules program.  See
<a href="http://www.stearns.org">http://www.stearns.org</a>
for more information about this tool and updated versions.
</body>
</html>
EOTEXT
		;;
	esac
}

readlog () {
	if read DestinationPort ; then
		return 0	#True
	else
		return 1	#False
	fi
}

showrule () {
	#SourceAddress SourcePort DestinationAddress DestinationPort Protocol
	if [ -n "$SourcePort$DestinationPort" ] && [ -z "$Protocol" ]; then
		Protocol="tcp"
		echo '#TCP protocol assumed'
	fi

	echo
	echo '# Iptables'
	Params=""
	if [ -n "$Protocol" ]; then		Params="$Params -p `lc $Protocol`" ; fi
	if [ -n "$SourceAddress" ]; then	Params="$Params -s $SourceAddress" ; fi
	if [ -n "$SourcePort" ]; then		Params="$Params --sport $SourcePort" ; fi
	if [ -n "$DestinationAddress" ]; then	Params="$Params -d $DestinationAddress" ; fi
	if [ -n "$DestinationPort" ]; then	Params="$Params --dport $DestinationPort" ; fi
	echo 'iptables -A INPUT' $Params '-j LOG --log-level info'
	echo 'iptables -A INPUT' $Params '-j DROP'
	echo 'iptables -A FORWARD' $Params '-j LOG --log-level info'
	echo 'iptables -A FORWARD' $Params '-j DROP'


	echo
	echo '# Ipchains'
	Params=""
	if [ -n "$Protocol" ]; then		Params="$Params -p `lc $Protocol`" ; fi
	if [ -n "$SourceAddress$SourcePort" ]; then
		Params="$Params -s"
		if [ -n "$SourceAddress" ]; then
			Params="$Params $SourceAddress"
		else
			Params="$Params 0/0"
		fi
		if [ -n "$SourcePort" ]; then
			Params="$Params $SourcePort"
		fi
	fi
	if [ -n "$DestinationAddress$DestinationPort" ]; then
		Params="$Params -d"
		if [ -n "$DestinationAddress" ]; then
			Params="$Params $DestinationAddress"
		else
			Params="$Params 0/0"
		fi
		if [ -n "$DestinationPort" ]; then
			Params="$Params $DestinationPort"
		fi
	fi
	echo 'ipchains -A input' $Params '-l -j DENY'


	echo
	echo '! Cisco IOS'
	Params=""
	if [ -n "$Protocol" ]; then
		Params="$Params `lc $Protocol`"
	fi
#FIXME - /n conversion
	if [ -n "$SourceAddress" ]; then
		Params="$Params host $SourceAddress"
	else
		Params="$Params any"
	fi
#FIXME - use port2ciscoport
	if [ -n "$SourcePort" ]; then
		case $SourcePort in
		*:*)	Params="$Params range ${SourcePort%%:*} ${SourcePort##*:}"		;;
		*)	Params="$Params eq $SourcePort"						;;
		esac
	fi
	if [ -n "$DestinationAddress" ]; then
		Params="$Params host $DestinationAddress"
	else
		Params="$Params any"
	fi
	if [ -n "$DestinationPort" ]; then
		case $DestinationPort in
		*:*)	Params="$Params range ${DestinationPort%%:*} ${DestinationPort##*:}"	;;
		*)	Params="$Params eq $DestinationPort"					;;
		esac
	fi
	echo 'Access-list 101 deny' $Params 'log'



	echo
	echo '# ipfilter'
	Params=""
	if [ -n "$Protocol" ]; then		Params="$Params proto $Protocol" ; fi
	if [ -n "$SourceAddress" ]; then
		Params="$Params from $SourceAddress"
	else
		Params="$Params from any"
	fi
	if [ -n "$SourcePort" ]; then		Params="$Params port = $SourcePort" ; fi
	if [ -n "$DestinationAddress" ]; then
		Params="$Params to $DestinationAddress"
	else
		Params="$Params to any"
	fi
	if [ -n "$DestinationPort" ]; then	Params="$Params port = $DestinationPort" ; fi
	echo 'block in log' $Params	#"block in log quick"?

#FIXME - snort IDS
	echo
	echo '# Snort IDS'
	Params=""
	if [ -n "$Protocol" ]; then		Params="$Params `uc $Protocol`" ; fi
#FIXME - $EXTERNAL vs. source address.
	if [ -n "$SourceAddress" ]; then
		Params="$Params $SourceAddress"
	else
		Params="$Params any"
	fi
	if [ -n "$SourcePort" ]; then
		Params="$Params $SourcePort"
	else
		Params="$Params any"
	fi
#FIXME - use gt or > depending on output format
	Params="$Params -&gt;"
#FIXME - $INTERNAL vs. dest address
	if [ -n "$DestinationAddress" ]; then
		Params="$Params $DestinationAddress"
	else
		Params="$Params any"
	fi
	if [ -n "$DestinationPort" ]; then
		Params="$Params $DestinationPort"
	else
		Params="$Params any"
	fi
	echo 'alert' $Params '(msg: "Insert description here")'

#alert TCP $EXTERNAL any -> $INTERNAL 617 (msg: "IDS261/dos-arkiea-backup"; flags: AP; dsize: >1445;)

#FIXME - ipfwadm

	#echo
	#echo '# Template'
	#Params=""
	#if [ -n "$Protocol" ]; then		Params="$Params $Protocol" ; fi
	#if [ -n "$SourceAddress" ]; then	Params="$Params $SourceAddress" ; fi
	#if [ -n "$SourcePort" ]; then		Params="$Params $SourcePort" ; fi
	#if [ -n "$DestinationAddress" ]; then	Params="$Params $DestinationAddress" ; fi
	#if [ -n "$DestinationPort" ]; then	Params="$Params $DestinationPort" ; fi
	#echo ZZZZ $Params
}



#Parse html form submission and command line params, if any.
if [ -n "$QUERY_STRING" ]; then
	QUERY_STRING=`echo "$QUERY_STRING" | sed -e 's/%3A/:/g' -e 's/[^A-Za-z0-9\.=&:]//g' -e 's/&/ /g'`
	for ONEFIELD in $QUERY_STRING $* ; do
		ParseOption $ONEFIELD
	done
fi

#Sanity checks on variables
case $Format in
ascii|html-pre-bare|html-pre-full-page)
	:
	;;
*)
	if [ -n "$QUERY_STRING" ]; then
		Format=html-pre-full-page
	else
		Format=ascii
	fi
	;;
esac



GenericHeader
if [ -n "$SourceAddress$SourcePort$DestinationAddress$DestinationPort$Protocol" ]; then
	showrule
else
	while readlog ; do
		showrule
	done
fi
GenericFooter