#!/bin/sh

# By                 : Chris Lowth - December 2005
# Support Forum      : http://www.lowth.com/rope/HelpForum
# ROPE Language Home : http://www.lowth.com/rope
# License            : GPL (http://www.lowth.com/rope/GPL)
#
#  Copyright (C) 2003,2004,2005  Chris Lowth - http://www.lowth.com
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.


# Script useid to set up ROPE for IpTables/NetFilter on IPCop 1.4.x to block various
# types of P-2-P traffic.

####################################################################################
### Edit these flags to be either "true" or "false" to select which P2P protocols to
### block...

BLOCK_BITTORRENT=true
BLOCK_GNUTELLA=true
BLOCK_EDONKEY2000=true
BLOCK_OPENNAP=true

#####################################################################################

. /var/ipcop/ethernet/settings

BAD_MARK=2/2
GOOD_MARK=4/4

iptables -N PEERTOPEER 2>/dev/null
iptables -F PEERTOPEER

if $BLOCK_BITTORRENT || $BLOCK_GNUTELLA || $BLOCK_EDONKEY2000 || $BLOCK_OPENNAP; then

	# we only handle TCP/IP in this logic
	iptables -A PEERTOPEER \! -p tcp -j RETURN

	# If the connection has already been marked as p2p - drop the packets
	iptables -A PEERTOPEER -m connmark --mark $BAD_MARK -j DROP

	# or: if it has already been marked as "good", then allow it
	iptables -A PEERTOPEER -m connmark --mark $GOOD_MARK -j RETURN

	# we are only interested in data packets (actually - only the first one).
	iptables -A PEERTOPEER -m rope \! --rope-script tcpdata -j RETURN

	# If it's a p2p connection - mark the connection

	$BLOCK_BITTORRENT && \
		iptables -A PEERTOPEER -p tcp -i $GREEN_DEV -m rope --rope-script bittorrent \
			-j CONNMARK --set-mark $BAD_MARK

	$BLOCK_GNUTELLA && \
		iptables -A PEERTOPEER -p tcp -i $GREEN_DEV -m rope --rope-script gnutella \
			-j CONNMARK --set-mark $BAD_MARK

	$BLOCK_EDONKEY2000 && \
		iptables -A PEERTOPEER -p tcp -i $GREEN_DEV -m rope --rope-script ed2k_hello \
			-j CONNMARK --set-mark $BAD_MARK

	$BLOCK_OPENNAP && \
		iptables -A PEERTOPEER -p tcp -i $GREEN_DEV -m rope --rope-script opennap \
			-j CONNMARK --set-mark $BAD_MARK

	# Re-check to see whether we should drop this packet
	iptables -A PEERTOPEER -m connmark --mark $BAD_MARK -j DROP

	# Otherwise flag the connection as "OK"
	iptables -A PEERTOPEER -j CONNMARK --set-mark $GOOD_MARK

fi

#---------------------------------------------------------------------------------------------
# Make the jump to the PEERTOPEER checking logic

iptables -F CUSTOMFORWARD
iptables -A CUSTOMFORWARD -j PEERTOPEER