#!/bin/bash
# 
# rules_SNATpriv2pub.sh
#
# the README_tent1.html in this dir is based on this script (where "tent1"
# stands for tentative 1); you should start from the main README.html where
# successful setup is described.
#
# script to demonstrate Source Network Address Translation over a commie
# router ZTE ZXDSL 931 VII which hides your public address from you
#
# Copyright (C) 2016 Miroslav Rovis, <http://www.CroatiaFidelis.hr/>
#
# released under BSD license, see LICENSE, or assume general BSD license,
# meaning you can do basically anything with these scripts and data except
# claim that you wrote them/made them
#
# vars
ipt=/sbin/iptables

# I was perfectly able to SNAT btwn two private networks, so my kernel likely
# has all the prerequisite built in. See:
# http://www.CroatiaFidelis.hr/foss/router/SNAT-demo/
# where find rules_SNATon2nets.sh which I base this script upon.

echo "cat /proc/sys/net/ipv4/ip_forward :"
cat /proc/sys/net/ipv4/ip_forward
# "1" must be printed on stdout
#
# Required for understanding of the issue is what Oskar Andreasson wrote
# about providers locking out their customers into privateland-IPs:
#
# https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NATCAVEATS 
# ( the third caveat )
#
# In my machine, when I connect online, the traffic is NAT'ed. To all and any
# programs in my machine it appears as if I were getting out via the server
# 192.168.1.1 and that my IP that my browser gets content with from anywhere on
# the internet were 192.168.1.4 and not, say:
# 93.138.43.55
# which is the current, temporary, IP of this machine of mine on the internet,
# as I'm writing this. (That one it was one day ago at the onset of these
# preps.) Ooops, not of this machine, but of the commie router ZXDSL 931 VII,
# which hides it from my machine, and I can only get it from places like
# myIP.com or if I log into my dear commier router.
#
# Again, my public address on the internet does not show in any traffic dumps
# either such as by dumpcap, which I use, nor would it if I used tcpdump, the
# Wireshark's dumpcap is as good as tcpdump, I believe.
#
# There are also functionalities taken away from what ZTE ships with their
# ZXDSL 931 VII modem/router, apparently gutted out by my provider, which you
# can see at:
# http://www.CroatiaFidelis.hr/foss/router/ZXDSL931VII/
# (where if you speak Croatian go for the README.html --but I may yet translate
# it some day-- for links details where further discussion, some in Croatian,
# has happened, or will only in the future, maybe in English, happen) or open
# this video straight from:
# http://www.CroatiaFidelis.hr/foss/router/ZXDSL931VII/Screen_160824_T-com_vs_Izvornik.webm
# (no text, just pure screencast, and the manual shown is in English, manual is
# available, let me find it for you, hopefully will remain available for some 
# time into the future (we've got an idiotic baseless censoring-prone system):
#
# ZTE ZXDSL 931VII (t-com) (page 2 of the topic)
# http://forum.pcekspert.com/showthread.php?&t=252833&page=2#post2600789
# or by post:
# http://forum.pcekspert.com/showthread.php?&p=2600789#post2600789
#
# the download is actually from:
# https://www.dropbox.com/s/2kkp6tu3lnxvsgm/SJ-20110324090655-002-ZXDSL%20931VII%20%28V2.0%29%20VDSL2%20Modem%20Maintenance%20Management%20Manual_341202.pdf
# but if it disappears you are likely to find a new link in those forums.
# People speak the current world's ligua franca (English) there, ask if you
# can't find it.
#
# The "read FAKE" lines are there to get a pause, and allow me to see how the
# rules are getting applied with:
# iptables -t <a-table> -L -n -v
# (in another terminal) if I feel like I need to.
# Simply hitting Enter at any pause moves on.
read FAKE

echo " * flushing old rules"
$ipt -X
$ipt -F
read FAKE

echo " * flushing the nat table"
$ipt -t nat -X
$ipt -t nat -F
read FAKE

echo " * flushing the raw table"
$ipt -t raw -X
$ipt -t raw -F
read FAKE

echo " * flushing the mangle table"
$ipt -t mangle -X
$ipt -t mangle -F
read FAKE

# Experimenting, want to see what NAT looks like btwn two private networks

						# networks :
						# 192.168.2.0/24 (the interface to it is: $lan1_if)
						# 192.168.1.0/24 (the interface to it is: $lan2_if)
						# <the internet is NAT'ed to me through 192.168.1.0/24>
						# You can see how it looks like, say, from:
						# ../../cap/cap-160606-dns-hr/dump_160606_1328_g0n.pcap
						# in Wireshark or similarly.

						# hosts :
						# --- g0n accesses, via intermediary network, internet
						# and one truly private network, the internet it accesses
						# over this private network:
						# 192.168.1.4	g0n, set as static, pls. try open
						# from this directory the file:
						# (WARNING: saved from ZXDSL's interface when logged,
						# not sure which javascript code to remove out of way,
						# as I'm not familiar enough, use at your own risk)
						# Zxdsl931_lanDHCPbnd.htm to see how.
						# 
						# 192.168.2.2	g0n, the other interface of this host,
						# to home network 192.168.2.0/24 truly and only private
						# ---
						# And from that 192.168.2.0/24 network
						# I'll try connect, from this host:
						# 192.168.2.5	gcn
						# via SNAT'ing its connection to 192.168.1.4 or?...
						#
						# I'm at a loss here (since that one I already tried
						# and to no avail)...
						#
						# ...Or should I SNAT it to the temporary public address:
						# 93.138.43.55 ?
						#
						# I'll try SNAT'ing it to 93.138.43.55 ( the $lan2_ip )

						# Assigning variables now.

lan2_if="eth2" 			# The famous commie router ZXDSL's private network
						# for NAT'ing users out of direct knowledge, _and_
						# direct accesss to, of their
						# temporary address on the internet...
						# The internet is, from the commie router, on this
						# interface, NAT'ed to private interface:
						# 192.168.1.4
						# on network:
						# 192.168.1.0/24
						# I will pretend that I can talk straight to my
						# temporary public address on the internet
						# $lan2_ip
						# instead, and see what I get.

lan2_ip="93.138.43.55"	# This is my current temporary public IP, as I'm
						# writing these lines. And I get it via the above
						# interface on g0n. Via 
						# 192.168.1.4	g0n
						# That is the only interface that I talk to internet
						# with, but whomever I talk to on the internet, those
						# servers and whatnot, they don't see 192.168.1.4,
						# they only see this temporary $lan2_ip instead, which
						# of course is, by my commie router, NAT'ed to
						# 192.168.1.4, and appears as such in the traffic dumps
						# from my machine... The $lan2_ip does not appear
						# anywhere in the traffic on the machine, it's
						# completely hidden, ugh, NAT'ed.

lan1_if="eth1" 			# This is the other interface on g0n, it attaches to
						# cca 10 ys old modem/router Siemens SX763 with all
						# other functionalities disabled (DHCP, DNS etc.), to
						# work as only switch/hub, and provide network:
						# 192.168.2.0/24
						# So I will try and connect to internet from
						# 192.168.2.5	gcn
						# which is not connected to the commie router, but
						# instead can only see and talk to, on $lan1_if:
						# 192.168.2.2	g0n
						# and so on g0n I'll run these rules to SNAT that
						# connection from gcn to:
						# $lan2_ip

						# So what I'll do next, is, I'll execute this script,
						# I'll disable iptables on gcn, and I'll even disable
						# grsecurity RBAC on not only gcn but even g0n (just
						# this one time but will later carefully examine logs).
						# And I'll build the iptables with this script on:
						# g0n
						# enabling them by simply executing this script.
						# I'll first connect only shortly to log into the
						# commie router and check again my temp public IP.
						# Such as, in case it changed, I'll only replace the
						# new one into the:
						# lan2_ip="<the-current-one>"
						# line further above.
						#
						# The analogy with the peer directory ../SNAT-demo/
						# experiment is maximal. The 8 (eight) lines of code
						# below are exact same.
						# And I'll run uncenz-only-dump.sh on the $lan2_if and
						# uncenz-1st on $lan1_if
						# (Just in case I really connect to, say:
						# http://www.netfilter.org ...but I fear much more work
						# till really I do...). And also the iproute2 and
						# iptables configs and states I will post.

						# Ah, I forgot, there's dnsmasq running on:
						# g0n
						# and so in:
						# gcn
						# I need to stick in /etc/resolv.conf a line:
						# nameserver 192.168.2.2
						# and post the system logs that will tell about it.

						# There is also the ZXDSL931 logs to take, before (when
						# I go and check the current public IP that I have) and
						# right after every tentative SNAT'ing.

						# There's even more. I just saw the SX763 packets
						# being dropped for some reason on this host...
						# God, this is getting too complex, but I have to do
						# it...

						# There I already have a few logs for analysis,
						# and I may even use some of the iptables lines from
						# the ZXDSL931 logs to maybe still add a little change
						# to the lines below... But not in the first tentative.

						# See:
						# Zxdsl931_logs_160822-160830.txt

						# The bad thing about taking the ZXDSL931 logs is it
						# can be done only manually here, well for now at
						# least, and that's really 1) too much extra work, and
						# 2) a human is not a machine, here it takes
						# remembering to do it in correct order and time, else
						# information may be harder to put together right
						# afterwards.

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $lan2_if -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $lan1_if -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o $lan2_if -j SNAT --to-source $lan2_ip