From 52410106e90a6f9439f13ecf071cff3798a50a30 Mon Sep 17 00:00:00 2001
From: ChiefGyk <alon@ganon.me>
Date: Wed, 29 Jun 2016 21:35:37 -0400
Subject: [PATCH] replaced iptables-persistent with another iptables-persistent
 in /etc/init.d, this one also will save ipsets and allow persistence upon
 reboot. Cleaned up some code, changed debconf variables at
 iptables-persistent install to false. Still installs iptable-persistant
 through apt, just to get rid of all the foundation work for it to run, but is
 quickly replaced.

---
 conf/blacklist/blacklist           |   4 +-
 conf/blacklist/china               |   3 +-
 conf/blacklist/iptables-persistent | 182 +++++++++++++++++++++++++++++
 conf/blacklist/korea               |   4 +-
 setup/blacklist.sh                 |   9 +-
 setup/dialog.sh                    |  14 +--
 6 files changed, 194 insertions(+), 22 deletions(-)
 create mode 100644 conf/blacklist/iptables-persistent

diff --git a/conf/blacklist/blacklist b/conf/blacklist/blacklist
index e42c7cba..2254583d 100644
--- a/conf/blacklist/blacklist
+++ b/conf/blacklist/blacklist
@@ -102,6 +102,4 @@ echo "Done!"
 # remove the spam list
 unlink $FILE
 
-# Persistence 
-ipset save > /etc/ipset.up.rules
-iptables-save > /etc/iptables.up.rules
+/etc/init.d/iptables-persistent save
\ No newline at end of file
diff --git a/conf/blacklist/china b/conf/blacklist/china
index 5924bb83..8a38549e 100644
--- a/conf/blacklist/china
+++ b/conf/blacklist/china
@@ -3,5 +3,4 @@ curl http://www.okean.com/antispam/iptables/rc.firewall.china > /tmp/china.sh
 chmod +x /tmp/china.sh
 source /tmp/china.sh
 rm -f /tmp/china.sh
-ipset save > /etc/ipset.up.rules
-iptables-save > /etc/iptables.up.rules
+/etc/init.d/iptables-persistent save
diff --git a/conf/blacklist/iptables-persistent b/conf/blacklist/iptables-persistent
new file mode 100644
index 00000000..323a69b4
--- /dev/null
+++ b/conf/blacklist/iptables-persistent
@@ -0,0 +1,182 @@
+#!/bin/sh
+#		Written by Simon Richter <sjr@debian.org>
+#		modified by Jonathan Wiltshire <jmw@debian.org>
+#		with help from Christoph Anton Mitterer
+#   and again by Jordan Rinke <me@jordanrinke.com>
+#
+
+### BEGIN INIT INFO
+# Provides:          iptables-persistent
+# Required-Start:    mountkernfs $local_fs
+# Required-Stop:     $local_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# X-Start-Before:    $network
+# X-Stop-After:      $network
+# Short-Description: Set up iptables rules
+# Description:       Loads/saves current iptables rules from/to /etc/iptables
+#  to provide a persistent rule set during boot time
+### END INIT INFO
+
+. /lib/lsb/init-functions
+
+rc=0
+
+load_rules()
+{
+	log_action_begin_msg "Loading iptables rules"
+
+  #load IPsets        
+  if [ ! -f /etc/iptables/rules.ipsets ]; then
+    log_action_cont_msg " skipping IPsets (no rules to load)"
+  else
+    log_action_cont_msg " IPset"
+    ipset restore -! < /etc/iptables/rules.ipsets 2> /dev/null
+    if [ $? -ne 0 ]; then
+      rc=1
+    fi
+  fi
+
+	#load IPv4 rules
+	if [ ! -f /etc/iptables/rules.v4 ]; then
+		log_action_cont_msg " skipping IPv4 (no rules to load)"
+	else
+		log_action_cont_msg " IPv4"
+		iptables-restore < /etc/iptables/rules.v4 2> /dev/null
+		if [ $? -ne 0 ]; then
+			rc=1
+		fi
+	fi
+
+	#load IPv6 rules	
+	if [ ! -f /etc/iptables/rules.v6 ]; then
+		log_action_cont_msg " skipping IPv6 (no rules to load)"
+	else
+		log_action_cont_msg " IPv6"
+		ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
+		if [ $? -ne 0 ]; then
+			rc=1
+		fi
+	fi
+
+	log_action_end_msg $rc
+}
+
+save_rules()
+{
+	log_action_begin_msg "Saving rules"
+
+  #save IPsets
+  #need at least iptable_filter loaded:
+  if ! ipset list | grep -i "name">/dev/null 2>&1; then
+    log_action_cont_msg " skipping IPset - no sets defined or not loaded"
+  elif [ -x /usr/sbin/ipset ] || [ -x /sbin/ipset ]; then
+    log_action_cont_msg " IPset"
+    ipset save | grep -iv "f2b"> /etc/iptables/rules.ipsets
+    if [ $? -ne 0 ]; then
+      rc=1
+    fi
+  fi
+
+	#save IPv4 rules
+	#need at least iptable_filter loaded:
+	/sbin/modprobe -q iptable_filter
+	if [ ! -f /proc/net/ip_tables_names ]; then
+		log_action_cont_msg " skipping IPv4 (no modules loaded)"
+	elif [ -x /sbin/iptables-save ]; then
+		log_action_cont_msg " IPv4"
+		iptables-save > /etc/iptables/rules.v4
+		if [ $? -ne 0 ]; then
+			rc=1
+		fi
+	fi
+
+	#save IPv6 rules
+	#need at least ip6table_filter loaded:
+	/sbin/modprobe -q ip6table_filter
+	if [ ! -f /proc/net/ip6_tables_names ]; then
+		log_action_cont_msg " skipping IPv6 (no modules loaded)"
+	elif [ -x /sbin/ip6tables-save ]; then
+		log_action_cont_msg " IPv6"
+		ip6tables-save > /etc/iptables/rules.v6
+		if [ $? -ne 0 ]; then
+			rc=1
+		fi
+	fi
+
+	log_action_end_msg $rc
+}
+
+flush_rules()
+{
+	log_action_begin_msg "Flushing rules"
+
+  if ! ipset list | grep -i "name">/dev/null 2>&1; then
+    log_action_cont_msg " skipping IPset (no sets defined or not installed)"
+  elif [ -x /usr/sbin/ipset ] || [ -x /sbin/ipset ]; then
+    log_action_cont_msg " IPset"
+    ipset flush
+  fi
+
+
+
+	if [ ! -f /proc/net/ip_tables_names ]; then
+		log_action_cont_msg " skipping IPv4 (no module loaded)"
+	elif [ -x /sbin/iptables ]; then
+		log_action_cont_msg " IPv4"
+		for param in F Z X; do /sbin/iptables -$param; done
+		for table in $(cat /proc/net/ip_tables_names)
+		do
+			/sbin/iptables -t $table -F
+			/sbin/iptables -t $table -Z
+			/sbin/iptables -t $table -X
+		done
+		for chain in INPUT FORWARD OUTPUT
+		do
+			/sbin/iptables -P $chain ACCEPT
+		done
+	fi
+	
+	if [ ! -f /proc/net/ip6_tables_names ]; then
+		log_action_cont_msg " skipping IPv6 (no module loaded)"
+	elif [ -x /sbin/ip6tables ]; then
+		log_action_cont_msg " IPv6"
+		for param in F Z X; do /sbin/ip6tables -$param; done
+		for table in $(cat /proc/net/ip6_tables_names)
+		do
+			/sbin/ip6tables -t $table -F
+			/sbin/ip6tables -t $table -Z
+			/sbin/ip6tables -t $table -X
+		done
+		for chain in INPUT FORWARD OUTPUT
+		do
+			/sbin/ip6tables -P $chain ACCEPT
+		done
+	fi
+
+	log_action_end_msg 0
+}
+
+case "$1" in
+start|restart|reload|force-reload)
+	load_rules
+	;;
+save)
+	save_rules
+	;;
+stop)
+	# Why? because if stop is used, the firewall gets flushed for a variable
+	# amount of time during package upgrades, leaving the machine vulnerable
+	# It's also not always desirable to flush during purge
+	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+	;;
+flush)
+	flush_rules
+	;;
+*)
+    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
+    exit 1
+    ;;
+esac
+
+exit $rc
\ No newline at end of file
diff --git a/conf/blacklist/korea b/conf/blacklist/korea
index bad21291..ba0e110d 100644
--- a/conf/blacklist/korea
+++ b/conf/blacklist/korea
@@ -3,5 +3,5 @@ curl http://www.okean.com/antispam/iptables/rc.firewall.korea > /tmp/korea.sh
 chmod +x /tmp/korea.sh
 source /tmp/korea.sh
 rm -f /tmp/korea.sh
-ipset save > /etc/ipset.up.rules
-iptables-save > /etc/iptables.up.rules
+/etc/init.d/iptables-persistent save
+
diff --git a/setup/blacklist.sh b/setup/blacklist.sh
index ccc822c9..28222545 100644
--- a/setup/blacklist.sh
+++ b/setup/blacklist.sh
@@ -8,14 +8,15 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
-apt_install -y ipset 
+echo iptables-persistent iptables-persistent/autosave_v4 boolean false | debconf-set-selections
+echo iptables-persistent iptables-persistent/autosave_v6 boolean false | debconf-set-selections
+apt_install -y ipset dialog iptables-persistent
+cp conf/iptables-persistent /etc/init.d/iptables-persistent
 ipset create blacklist hash:net
 iptables -I INPUT -m set --match-set blacklist src -j DROP
 cp conf/blacklist/blacklist /etc/cron.daily/blacklist
 chmod a+x /etc/cron.daily/blacklist
 time /etc/cron.daily/blacklist
 source setup/dialog.sh
-iptables-save > /etc/iptables.up.rules
-sed -i -e "\$apre-up ipset restore < /etc/ipset.up.rules" /etc/network/interfaces
-sed -i -e "\$apost up iptables-restore < /etc/iptables.up.rules" /etc/network/interfaces
+/etc/init.d/iptables-persistent save
 echo "Blacklist has been installed. It will run daily automatically."
diff --git a/setup/dialog.sh b/setup/dialog.sh
index 0ae93bb2..f552fabb 100644
--- a/setup/dialog.sh
+++ b/setup/dialog.sh
@@ -25,31 +25,23 @@ CHOICE=$(dialog --clear \
 clear
 case $CHOICE in
         1)
-            echo "Ok Mr. Trump"
-			echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
-			echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
+            echo "Are you Donald Trump?"
 			cp conf/blacklist/china /etc/cron.weekly/china
 			chmod +x /etc/cron.weekly/china
 			time /etc/cron.weekly/china
-			apt-get install -y iptables-persistent
             ;;
         2)
             echo "Starting the Korean war again"
-			echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
-			echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
 			cp conf/blacklist/korea /etc/cron.weekly/korea
 			chmod +x /etc/cron.weekly/korea
 			time /etc/cron.weekly/korea
-			apt-get install -y iptables-persistent
             ;;
         3)
             echo "Blocking almost 1/3 of the world"
-			echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
-			echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
 			cp conf/blacklist/sinokorea /etc/cron.weekly/sinokorea
 			chmod +x /etc/cron.weekly/sinokorea
 			time /etc/cron.weekly/sinokorea
-			apt-get install -y iptables-persistent
             ;;
-		4) break;;
+		4)  echo "Doing nothing"
+		    ;;
 esac
\ No newline at end of file