#!/bin/sh
#
###
#
# wrapper script for the fwb_iptables ruleset compiler to transfer
# rulesets via ssh to a firewall and activate them.
#
###
#
# (K) 2001 by David Gullasch <gullasch@secunet.de>, <xonox@web.de>
# All rights reversed. Copy what you like, but give credit and
# include this note. TNX!
#
###
#
# Important:
#
#  One of the first firewall rules should allow ssh traffic to the
#  firewall, or you will lock yourself out. (If you didn't save the
#  activation script somewhere on the firewall you will cut your
#  own ssh connection while transferring commands to the remote
#  shell.)
#
###
#
# Installation (on the controlling host):
#
#  You should have a ssh installed and configured properly.
#  (--> RTFmanpage!)
#
#  Copy this file somewhere into your path:
#
#	# cp fwb_iptables_wrapper /usr/bin
#
#  Tell fwbuilder to use the wrapper:
#
#   plan A:
#     Insert "fwb_ipchains_wrapper" (or "fwb_iptables_wrapper")
#     as alternate compiler in the firewall dialog.
#
#   plan B:
#     edit /usr/{local/,}share/fwbuilder/resources.xml to make
#     fwbuilder recognize the wrapper as compiler platform
#     (added lines marked with +):
#
#  ,----------8<-------------8<-----------
#  |
#  |  <Platform name="iptables">
#  |    <compiler>fwb_iptables</compiler>
#  |  </Platform>
#  |
# +|  <Platform name="iptables_wrapper">
# +|    <compiler>fwb_iptables_wrapper</compiler>
# +|  </Platform>
#  |
#  |  <Platform name="ipfilter">
#  |    <compiler>fwb_ipfilter</compiler>
#  |  </Platform>
#  |
#  `----------8<-------------8<-----------
#
#
# Installation on the firewall:
#
#  You should have a sshd running that allows public-key
#  authenticated root login.
#
#  add your ~/.ssh/identity.pub (or ~/.ssh/id_dsa.pub) from
#  the controlling host to ~root/.ssh/authorized_keys on the
#  firewall (or ~root/.ssh/authorized_keys2, respectively). 
#
#  adjust the $PATH in the ssh environment by adding "PATH=/bin:/sbin"
#  to ~root/.ssh/environment (probably needed for e.g awk in the
#  compiled scripts)
#
#  If you have done everything right, you should be able to do a
#
#	$ ssh root@123.45.67.89 /bin/sh
#
#  on the controlling host (substitute 123.45.67.89 with the
#  firewall's IP) and get a rootshell on the firewall without
#  password authentication.
#
###
#
# Use:
#
#  To transfer rulesets to the firewall add something like "-t /root"
#  to the compiler options or modify the default transparent behaviour
#  of this script below and a compile. You should see a message
#  like "Transferring/activating firewall.fw to/at
#  123.45.67.89:/root/firewall.fw"
#
###
#
# New options:
#
# -t [DIR]
#       Transfer rulescript after compilation to firwall (IP is
#       extracted from the .xml file). DIR specifies the rulescript's
#       remote location.  It must be absolute or absent. (In the
#       latter case the rulescript is not remotely saved and cutting
#       your own ssh connection can result in a completely locked
#       up computer. Use DIR or see your control connection killed
#       unless you know what you are doing!)
#
# -v
#       modifies the firewall script before the transfer to be more verbose.
#
###

#### customize following settings to fit your needs:
#
FWCOMPILER="fwb_iptables" # the rulest compiler which is transparently called
DOTRANSFER="YES"	# [NO|YES] transfer rulesets by default?
DESTDIR="."		# $FIREWALL.fw is generated in that directory
FILE="objects.xml"	# default value for your ruleset .xml file
REMOTEDIR="/etc"	# where to put $FIREWALL.fw on the remote machine
VERBOSE="NO"		# [NO|YES] modify firewall script for verbosity
#
#### you shouldn't need to edit something below


# do compilation as usual (and remove arguments not recognized by $FWCOMPILER)
$FWCOMPILER `echo " $@ " | sed -e 's/ -t \/[^ ]*/ /g' -e 's/ -t / /g' -e 's/ -v / /g'`
if [ "$?" -ne 0 ] ; then exit $? ; fi

# fetch our options
LASTOPT="foo"
for i in "$@" ; do
	if [ "X$i" = "X-t" ] ; then
		DOTRANSFER="YES"
	elif [ "X$i" = "X-v" ] ; then
		VERBOSE="YES"
	else
		case "$LASTOPT" in
			-f)	FILE="$i" ;;
			-d)	DESTDIR="$i" ;;
			-t)	REMOTEDIR="$i" ;;
			*)	;;
		esac
	fi
	LASTOPT="$i"
done

FIREWALL="$i"
SCRIPT="$DESTDIR/$FIREWALL.fw"

if [ "$VERBOSE" = "YES" ] ; then
	echo -e "%s/iptables/iptables -v/\nw" | ed $SCRIPT > /dev/null 2>&1
fi
if [ "$DOTRANSFER" = "YES" ] ; then

######## awk/sed-magic for the old version of .xml file (fwbuilder version < 0.9) ########
#	FWIP=`awk -F \> -v RS=\<$FIREWALL '/^[^>]_type="FW"/ {print $1}' < $FILE | \
#	sed -n -e \
#	'/address="[^"]*"/{
#s/^.*address="\([^"]*\)".*$/\1/
#p
#}'`

######## new version of awk/sed magic ########
	FWIP=`awk -F \> -v 'RS=<Firewall ' '/^[^>]*name="'$FIREWALL'"/ {print $1}' < $FILE | \
	sed -n -e \
	'/address="[^"]*"/{
s/^.*address="\([^"]*\)".*$/\1/
p
}'`

	SUPERUSER="root"	# the user supposed to set up the firewall

	# test if we have a leading / in $REMOTEDIR
	if [ ! ${REMOTEDIR%%/*} ] ; then # deposit script in $REMOTEDIR before execution

		REMOTESCRIPT="$REMOTEDIR/$FIREWALL.fw"

		echo -n "Transferring $SCRIPT to $FWIP:$REMOTESCRIPT ... "

		(
			cat <<- HEADER-END
				#!/bin/sh
				cat > $REMOTESCRIPT << SCRIPT-END
			HEADER-END

			sed -e 's/\$/\\\$/g' $SCRIPT

			cat <<- FOOTER-END
				SCRIPT-END
				chmod +x $REMOTESCRIPT
				echo -e "Ok.\nActivating $REMOTESCRIPT on $FWIP ... "
				exec $REMOTESCRIPT
			FOOTER-END

		) 2>&1 | ssh $SUPERUSER@$FWIP '/bin/sh' 2>&1
		exit $?

	else # just execute script on firewall (DANGEROUS!)
		echo "Activating $SCRIPT at $FWIP"
		ssh $SUPERUSER@$FWIP '/bin/sh' 2>&1 < $SCRIPT
		exit $?
	fi
fi