#!/bin/bash

# blockip (node) - script to add IP addresses to shorewall's blacklist
# takes IP address as an argument, optionally takes switch to make
# shorewall restart after adding IP

USAGE=`basename $0`
USAGE="$USAGE [-r]IPADDRESS [[-r]IPADDRESS [-r]IPADDRESS...]"
INSTRUCTIONS="You need to provide at least one IP address as an argument to this script."
INSTRUCTIONS="$INSTRUCTIONS\nThe -r switch will remove an IP from the blacklist."
RESTART=0

## FUNCTION DEFS
ADDIP() {
	IP=$1
	COMMENT="#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE"
	# use sed to replace the last comment line with the IP and comment
	sed -i s/"$COMMENT"/"$IP\n$COMMENT"/g /etc/shorewall/blacklist
	echo -e "\E[0;32m$IP added to firewall blacklist...\033[0m"
}

REMIP() {
	IP=$1
	sed -i s/"$IP"/""/g /etc/shorewall/blacklist
	echo -e "\E[0;32m$IP removed from firewall blacklist...\033[0m"
}

## MAIN
if [ "$EUID" -eq 0 ]
	then
	# this is the root user, ok to continue...
	if [ $# -lt 1 ]
		then
		echo -e $USAGE
		echo -e $INSTRUCTIONS
		exit 1
	else
		until [ -z "$1" ]
			do
			if [ `echo $1 | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"` ]
				then
				# if this is an IP address, first check it isn't already in the blacklist
				if [ `grep $1 /etc/shorewall/blacklist` ]
					then
					# if it's in the list, don't add it again; echo a message, but don't quit
					echo -e "\E[0;31m$1 is already in the blacklist,  not adding...\033[0m"
				else
					# add this to our blacklist
					ADDIP $1
					RESTART=1
				fi
			elif [ `echo $1 | egrep "^(\-r){1}[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"` ]
				then # they have sent in the -r arg. Remove this IP
				IP=`echo $1 | sed s/"-r"/""/g` # this gets rid of "-r"
				if [ `grep $IP /etc/shorewall/blacklist` ]
					then
					# if it's in the list, remove it and flag a restart
					REMIP $IP
					RESTART=1
				else
					# we couldn't find this IP
					echo -e "\E[0;31m$IP is not in the blacklist, not removing...\033[0m"
					
				fi
			else
				# they have sent us something weird! Don't add it, but don't quit.
				echo -e "\E[0;31m$1 is not a valid IP address, skipping...\033[0m"
			fi
			shift
		done
	fi
else
	echo "You need to be root to run this script."
	exit 1
fi

if [ $RESTART -eq 1 ]
	then
	echo -e "\E[1;31mRestarting shorewall in 3 seconds... \E[1;36m[Use CTRL+C to stop]\033[0m"
	sleep 3
	shorewall restart
else
	echo -e "\E[0;32mNothing changed in blacklist. No need to restart shorewall.\033[0m"
fi