#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

Me='bogons'
MyVersion='0.3.4'
DefaultActions='DROP'

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
		$IptablesBin $AppIn INPUT -i \! lo -m state --state NEW,RELATED			-j $Me
		$IptablesBin $AppIn FORWARD -m state --state NEW,RELATED			-j $Me
		$IptablesBin $AppIn OUTPUT -o \! lo -m state --state NEW,RELATED		-j $Me
		;;
	unlink)
		$IptablesBin -D INPUT -i \! lo -m state --state NEW,RELATED			-j $Me
		$IptablesBin -D FORWARD -m state --state NEW,RELATED				-j $Me
		$IptablesBin -D OUTPUT -o \! lo -m state --state NEW,RELATED			-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me

		#No sense in checking loopback interface at all.  IOF calls now exclude all lo.
		#$IptablesBin -A $Me -i lo -s 127.0.0.0/8					-j RETURN
		#$IptablesBin -A $Me -i lo -d 127.0.0.0/8					-j RETURN
		#$IptablesBin -A $Me -o lo -s 127.0.0.0/8					-j RETURN
		#$IptablesBin -A $Me -o lo -d 127.0.0.0/8					-j RETURN

		#Uncomment this if you want to automatically pull down this file.
		#Better handled from cron
		#if [ ! -f "$FBData/bogon-bn-agg.txt" ]; then
		#	wget http://www.cymru.com/Documents/bogon-bn-agg.txt -O "$FBData/bogon-bn-agg.txt"
		#fi

		if [ -f "$FBData/bogon-bn-agg.txt" ]; then
			for OneBogon in `cat $FBData/bogon-bn-agg.txt` ; do
				case $OneBogon in
				10.0.0.0/8|172.16.0.0/12|192.168.0.0/16|224.0.0.0/3)
					: #echo "Skipping $OneBogon, handled elsewhere." >&2
					;;
				*)
					LogAs='bogon'	$Ipt -A $Me -s $OneBogon		$Tail
					LogAs='bogon'	$Ipt -A $Me -d $OneBogon		$Tail
					;;
				esac
			done
		else
			echo "No $FBData/bogon-bn-agg.txt, please get from:" >&2
			echo 'http://www.cymru.com/Documents/bogon-bn-agg.txt' >&2
			echo "Unable to initialize $Me." >&2
		fi
		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -m state --state NEW,RELATED	-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -m state --state NEW,RELATED		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -o \! lo -m state --state NEW,RELATED	-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
		cat <<EOTEXT >&2
	The $Me module checks for bogon source addresses; addresses
which have not yet been assigned by IANA.  No legitimate hosts should be
using them.
	This module should be safe to use, but please check no less than
once a month for an updated bogon list.  The file can be found at
http://www.cymru.com/Documents/bogon-bn-agg.txt and should be placed in
$FBData/bogon-bn-agg.txt .
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done
