#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

Me='scrutinizesrc'
MyVersion='0.3.3'
DefaultActions='ULOG'

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
		#We don't directly link this; users can optionally jump here on suspicious packets
		#$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		#$IptablesBin $AppIn FORWARD							-j $Me
		#$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
		#$IptablesBin -D INPUT -i \! lo							-j $Me
		#$IptablesBin -D FORWARD							-j $Me
		#$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me
		LogAs='scrutinizesrc'	$Ipt -A $Me -m recent --name scrutinize --rsource --set	$Tail
		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		echo "Renamechain not available for $Me" >&2
		#TempChain="$Me-$RANDOM"
		#echo "Replacing existing rules in $Me with new rules" >&2
		#$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		echo "Replacelinks not available for $Me" >&2
		#if [ -z "$TempChain" ]; then
		#	echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		#elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
		#	echo "No $Me chain in $Me, replace operation incomplete." >&2
		#elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
		#	echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		#elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
		#	echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		#elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
		#	echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		#elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
		#	echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		#else
		#	#Can't call directly from IOF.
		#	#$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
		#	#$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
		#	#$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
		#	DestroyChain $TempChain
		#	unset TempChain
		#fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
		cat <<EOTEXT >&2
	The $Me module is a helper module.  If a rule in some other part
of the firewall identifies something suspicious, it can choose to "-j
$Me".  For two minutes from that point, all packets from that
IP address get logged to userspace, where ulogd can save the complete
packets to a pcap/bpf file, or to a MySQL or Postgresql database.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done
