#!/bin/sh

# knetfilter 3.0.1

#  Copyright (C) 2002 Luigi Genoni
#  		     venom@DarkStar.sns.it

export PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

case "$1" in
    iptorig)

	iptables-save > /etc/iptables_rules.cfg

	echo "#!/bin/sh" > /etc/iptables.cfg

	echo "export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/root/bin" >> /etc/iptables.cfg

	echo >> /etc/iptables.cfg     

	echo "#This script has been generated by knetfilter Rule saving function" >> /etc/iptables.cfg 

	echo >> /etc/iptables.cfg     

	echo "iptables-restore /etc/iptables_rules.cfg" >> /etc/iptables.cfg

	echo >> /etc/iptables.cfg
	
	chmod 755 /etc/iptables.cfg
	;;
    
    oldfnct)      

	if [ -f /etc/iptables.cfg ]; then
	    rm /etc/iptables.cfg
	fi
	
	echo "#!/bin/sh" > /etc/iptables.cfg
	
	echo >> /etc/iptables.cfg     
	
	echo "#This script has been generated by knetfilter Rule saving function" >> /etc/iptables.cfg 
	
	echo >> /etc/iptables.cfg     
	
	echo "iptables -F" >> /etc/iptables.cfg     
	echo "iptables -t nat -F" >> /etc/iptables.cfg     
	echo "iptables -t mangle -F" >> /etc/iptables.cfg     
	
	export input="`iptables -L INPUT -n | grep -v target | grep -v Chain  | awk '{print gensub (/spt:/, "--sport ", 1)}'|  awk '{print gensub (/spts:/, "--sport ", 1)}' |  awk '{print gensub (/dpt:/, "--dport ", 1)}' | awk '{print gensub (/dpts:/, "--dport ", 1)}' | awk '{print gensub (/type/, "--icmp-type ", 1)}' | awk '{print gensub (/reject-with icmp-port-unreachable/, " " ,1)}' | awk '{print gensub (/flags:0x0216\/0x022/, "--syn " ,1)}' | awk '{print gensub(/state/, "-m state --state", 1)}' | awk '{print gensub(/MARK match/, "-m mark --mark", 1)}' | awk '{print gensub(/tcp/, " ", 2)}' | awk '{print gensub(/udp/, " ", 2)}' | awk '{print gensub(/icmp/, " ", 2)}' | awk '{print "iptables -A INPUT", "-p", $2, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, "-s", $4, "-d", $5, "-j", $1, ";"}'`" 
	
	echo -e $input >> /etc/iptables.cfg
	
	export forward="`iptables -L FORWARD -n | grep -v target | grep -v Chain  | awk '{print gensub (/spt:/, "--sport ", 1)}'|  awk '{print gensub (/spts:/, "--sport ", 1)}' |  awk '{print gensub (/dpt:/, "--dport ", 1)}' | awk '{print gensub (/dpts:/, "--dport ", 1)}' | awk '{print gensub (/type/, "--icmp-type ", 1)}' | awk '{print gensub (/reject-with icmp-port-unreachable/, " " ,1)}' | awk '{print gensub (/flags:0x0216\/0x022/, "--syn " ,1)}' | awk '{print gensub(/state/, "-m state --state", 1)}' | awk '{print gensub(/MARK match/, "-m mark --mark", 1)}' | awk '{print gensub(/tcp/, " ", 2)}' | awk '{print gensub(/udp/, " ", 2)}' | awk '{print gensub(/icmp/, " ", 2)}' | awk '{print "iptables -A FORWARD", "-p", $2, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, "-s", $4, "-d", $5, "-j", $1, ";"}'`" 
	
	echo -e $forward >> /etc/iptables.cfg
	
	export output="`iptables -L OUTPUT -n | grep -v target | grep -v Chain  | awk '{print gensub (/spt:/, "--sport ", 1)}'|  awk '{print gensub (/spts:/, "--sport ", 1)}' |  awk '{print gensub (/dpt:/, "--dport ", 1)}' | awk '{print gensub (/dpts:/, "--dport ", 1)}' |awk '{print gensub (/type/, "--icmp-type ", 1)}' | awk '{print gensub (/reject-with icmp-port-unreachable/, " " ,1)}' | awk '{print gensub (/flags:0x0216\/0x022/, "--syn " ,1)}' | awk '{print gensub(/state/, "-m state --state", 1)}' | awk '{print gensub(/MARK match/, "-m mark --mark", 1)}' | awk '{print gensub(/tcp/, " ", 2)}' | awk '{print gensub(/udp/, " ", 2)}' | awk '{print gensub(/icmp/, " ", 2)}' | awk '{print "iptables -A OUTPUT", "-p", $2, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, "-s", $4, "-d", $5, "-j", $1, ";"}'`" 
	
	echo -e $output >> /etc/iptables.cfg
	
	export chain="`iptables -L -n -v | grep Chain | awk '{print "iptables -P", $2, $4, ";"}'`" 
	
	echo -e $chain >> /etc/iptables.cfg
	
# NAT AND MASQUERADE
	
	export nat_prerouting="`iptables -t  nat -L PREROUTING -n |  grep -v target | grep -v Chain  | awk '{print gensub(/spt:/, "--source-port ", 1)}' | awk '{print gensub(/spts:/, "--source-port ", 1)}' | awk '{print gensub(/dpt:/, "--destination-port ", 1)}' | awk '{print gensub(/dpts:/, "--destination-port ", 1)}' | awk '{print gensub(/redir ports/, "--to ", 1)}' | awk '{print gensub(/to:/, "--to ", 1)}' | awk '{print gensub(/tcp/, " ", 2)}' |  awk '{print gensub(/udp/, " ", 2)}' |  awk '{print gensub(/icmp/, " ", 2)}' | awk '{print "iptables -t nat -A PREROUTING", "-p", $2,  "-j", $1, "-s", $4, "-d", $5, $6, $7, $8, $9, $10, $11, $12, ";"}'`"
	
	echo -e $nat_prerouting >> /etc/iptables.cfg
	
	export nat_postrouting="`iptables -t  nat -L POSTROUTING -n | grep -v target | grep -v Chain  | awk '{print gensub(/spt:/, "--source-port ", 1)}' | awk '{print gensub(/spts:/, "--source-port ", 1)}' | awk '{print gensub(/dpt:/, "--destination-port ", 1)}' | awk '{print gensub(/dpts:/, "--destination-port ", 1)}' | awk '{print gensub(/redir ports/, "--to ", 1)}' | awk '{print gensub(/type/, "--icmp-type ", 1)}' | awk '{print gensub(/to:/, "--to ", 1)}' | awk '{print gensub(/tcp/, " ", 2)}' |  awk '{print gensub(/udp/, " ", 2)}' |  awk '{print gensub(/icmp/, " ", 2)}' | awk '{print "iptables -t nat -A POSTROUTING", "-p", $2,  "-j", $1, "-s", $4, "-d", $5, $6, $7, $8, $9, $10, $11, $12, ";"}'`"
	
	echo -e $nat_postrouting >> /etc/iptables.cfg
	
	export nat_output="`iptables -t  nat -L OUTPUT -n |  grep -v target | grep -v Chain  | awk '{print gensub(/spt:/, "--source-port ", 1)}' | awk '{print gensub(/spts:/, "--source-port ", 1)}' | awk '{print gensub(/dpt:/, "--destination-port ", 1)}' | awk '{print gensub(/dpts:/, "--destination-port ", 1)}' | awk '{print gensub(/redir ports/, "--to ", 1)}' | awk '{print gensub(/to:/, "--to ", 1)}' | awk '{print gensub(/tcp/, " ", 2)}' |  awk '{print gensub(/udp/, " ", 2)}' |  awk '{print gensub(/icmp/, " ", 2)}' | awk '{print "iptables -t nat -A OUTPUT", "-p", $2,  "-j", $1, "-s", $4, "-d", $5, $6, $7, $8, $9, $10, $11, $12, ";"}'`"
	
	echo -e $nat_output >> /etc/iptables.cfg
	
	export nat_chain="`iptables -t nat -L -n -v | grep Chain | awk '{print "iptables -t nat -P", $2, $4, ";"}'`" 
	echo -e $nat_chain >> /etc/iptables.cfg
	
# MANGLE
	
	export mangle_prerouting="`iptables -t mangle -L PREROUTING -n |  grep -v target | grep -v Chain | grep -v LOG | awk '{print gensub(/spt:/, "--source-port ", 1)}' | awk '{print gensub(/spts:/, "--source-port ", 1)}' | awk '{print gensub(/dpt:/, "--destination-port ", 1)}' | awk '{print gensub(/dpts:/, "--destination-port ", 1)}' | awk '{print gensub (/type/, "--icmp-type ", 1)}' | awk '{print gensub (/reject-with icmp-port-unreachable/, " " ,1)}' | awk '{print gensub (/tcp flags:0x0216\/0x022 TOS/, "--syn " ,1)}' | awk '{print gensub (/tcp flags:0x0216\/0x022 MARK/, "--syn " ,1)}' | awk '{print gensub(/set/, "--set-tos", 1)}' | awk '{print gensub(/TOS --set-tos/, "--set-tos", 1)}' | awk '{print gensub(/MARK --set-tos/, "--set-mark ", 1)}' | awk '{print gensub(/tcp/, " ", 2)}' |  awk '{print gensub(/udp/, " ", 2)}' |  awk '{print gensub(/icmp/, " ", 2)}' | awk '{print "iptables -t mangle -A PREROUTING", "-p", $2, "-j", $1, $6, $7, $8, $9, "-s", $4, "-d", $5, $10, $11, $12, $13, $14, $15, $16, $17, $18, ";"}'`"
	
	echo $mangle_prerouting >> /etc/iptables.cfg
	
	export mangle_output="`iptables -t mangle -L OUTPUT -n |  grep -v target | grep -v Chain | grep -v LOG | awk '{print gensub(/spt:/, "--source-port ", 1)}' | awk '{print gensub(/spts:/, "--source-port ", 1)}' | awk '{print gensub(/dpt:/, "--destination-port ", 1)}' | awk '{print gensub(/dpts:/, "--destination-port ", 1)}' | awk '{print gensub (/type/, "--icmp-type ", 1)}' | awk '{print gensub (/reject-with icmp-port-unreachable/, " " ,1)}' | awk '{print gensub (/tcp flags:0x0216\/0x022 TOS/, "--syn " ,1)}' | awk '{print gensub (/tcp flags:0x0216\/0x022 MARK/, "--syn " ,1)}' | awk '{print gensub(/set/, "--set-tos", 1)}' | awk '{print gensub(/TOS --set-tos/, "--set-tos", 1)}' | awk '{print gensub(/MARK --set-tos/, "--set-mark ", 1)}' | awk '{print gensub(/tcp/, " ", 2)}' |  awk '{print gensub(/udp/, " ", 2)}' |  awk '{print gensub(/icmp/, " ", 2)}' | awk '{print "iptables -t mangle -A OUTPUT", "-p", $2, "-j", $1, $6, $7, $8, $9, "-s", $4, "-d", $5, $10, $11, $12, $13, $14, $15, $16, $17, $18, ";"}'`"
	
	echo $mangle_output >> /etc/iptables.cfg
	
	export mangle_chain="`iptables -t mangle -L -n -v | grep Chain | awk '{print "iptables -t mangle -P", $2, $4, ";"}'`"
	echo -e $mangle_chain >> /etc/iptables.cfg 
	
	chmod 755 /etc/iptables.cfg	
	;;

    *)

	iptables-save > /etc/iptables_rules.cfg
	echo "#!/bin/sh" > /etc/iptables.cfg

	echo "export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/root/bin" >> /etc/iptables.cfg

	echo >> /etc/iptables.cfg     

	echo "#This script has been generated by knetfilter Rule saving function" >> /etc/iptables.cfg 

	echo >> /etc/iptables.cfg

	echo "iptables-restore /etc/iptables_rules.cfg" >> /etc/iptables.cfg

	echo >> /etc/iptables.cfg
	
	chmod 755 /etc/iptables.cfg		
	;;
    
    help)

	echo "usage:"
	echo "kiptables-save <iporig> (uses iptables native save)"
	echo "kiptables-save oldfnct       (uses built in save function)"
	
esac

# let's optimize procfs


#echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/ip_dynaddr" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/conf/all/forwarding" >> /etc/iptables.cfg
#echo "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians" >> /etc/iptables.cfg
#echo "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" >> /etc/iptables.cfg
#echo "echo 65536 > /proc/sys/net/ipv4/route/max_size" >> /etc/iptables.cfg
#echo "echo 262144 > /proc/sys/net/core/optmem_max" >> /etc/iptables.cfg
#echo "echo 262144 > /proc/sys/net/core/rmem_default" >> /etc/iptables.cfg
#echo "echo 262144 > /proc/sys/net/core/rmem_max" >> /etc/iptables.cfg
#echo "echo 262144 > /proc/sys/net/core/wmem_default" >> /etc/iptables.cfg
#echo "echo 262144 > /proc/sys/net/core/wmem_max" >> /etc/iptables.cfg
#echo "echo 500 > /proc/sys/net/core/netdev_max_backlog" >> /etc/iptables.cfg

for i in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/ip_dynaddr /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses /proc/sys/net/ipv4/conf/all/secure_redirects /proc/sys/net/ipv4/conf/all/send_redirects /proc/sys/net/ipv4/tcp_syncookies /proc/sys/net/ipv4/conf/all/accept_source_route /proc/sys/net/ipv4/conf/all/forwarding /proc/sys/net/ipv4/conf/all/log_martians /proc/sys/net/ipv4/conf/all/rp_filter /proc/sys/net/ipv4/route/max_size /proc/sys/net/core/optmem_max /proc/sys/net/core/rmem_default /proc/sys/net/core/rmem_max /proc/sys/net/core/wmem_default /proc/sys/net/core/wmem_default /proc/sys/net/core/wmem_max /proc/sys/net/core/netdev_max_backlog ; do
    echo "echo `cat $i` > $i" >> /etc/iptables.cfg
done

echo "" >> /etc/iptables.cfg


