#!/bin/bash
set -euo pipefail

IPTABLES=/sbin/iptables
LIST_FOLDER=/etc/harresi
BLACKLIST_DIR=$LIST_FOLDER/blacklist/
WHITELIST_DIR=$LIST_FOLDER/whitelist/
CHAIN="HARRESI"
LOG_LEVEL=4
LOG_LIMIT="12/min"
LOG_BURST=20

TABLE="${1:-}"

if [[ -z "$TABLE" ]]; then
  echo "Available iptables tables:"
  echo "  INPUT - filter incoming packets"
  echo "  OUTPUT - filter outgoing packets"
  echo "  FORWARD - filter forwarded packets"
  read -p "Select table [INPUT/OUTPUT/FORWARD]: " TABLE
  TABLE="${TABLE:=INPUT}"
fi

if ! [[ "$TABLE" =~ ^(INPUT|OUTPUT|FORWARD)$ ]]; then
  echo "Error: Invalid table '$TABLE'. Must be INPUT, OUTPUT, or FORWARD." >&2
  exit 1
fi

if [[ $EUID -ne 0 ]]; then
  echo "Error: This script must be run as root." >&2
  exit 1
fi

if [[ ! -d "$BLACKLIST_DIR" ]] || [[ ! -d "$WHITELIST_DIR" ]]; then
  echo "Error: Required directories missing. Check $LIST_FOLDER" >&2
  exit 1
fi

$IPTABLES -N "$CHAIN" 2>/dev/null || true
$IPTABLES -F "$CHAIN"

$IPTABLES -C "$TABLE" -j "$CHAIN" 2>/dev/null || $IPTABLES -I "$TABLE" 1 -j "$CHAIN"

echo "Applying firewall rules to $TABLE chain..."

apply_lists() {
  local dir="$1"
  local action="$2"
  local list_type="$3"
  local count=0

  shopt -s nullglob
  for file in "$dir"/*.list; do
    [[ -f "$file" ]] || continue
    while IFS= read -r line || [[ -n "$line" ]]; do
      line="${line%%#*}"
      line=$(echo "$line" | xargs) || line=""
      [[ -z "$line" ]] && continue

      $IPTABLES -A "$CHAIN" -s "$line" -m limit --limit "$LOG_LIMIT" --limit-burst "$LOG_BURST" -j LOG --log-prefix "HARRESI IPT $list_type " --log-level "$LOG_LEVEL"
      $IPTABLES -A "$CHAIN" -s "$line" -j "$action"
      ((count++))
    done < "$file"
  done
  shopt -u nullglob
  echo "  $list_type: Added $count rules from $dir"
}


apply_lists "$BLACKLIST_DIR" DROP "BLACKLIST"
apply_lists "$WHITELIST_DIR" ACCEPT "WHITELIST"

echo "Firewall rules applied to $TABLE chain successfully."

if command -v iptables-save >/dev/null 2>&1 && [[ -d /etc/iptables ]]; then
  iptables-save > /etc/iptables/rules.v4
  echo "Rules saved to /etc/iptables/rules.v4"
fi

