#!/bin/bash
###menu
sudo cat > /bin/menu-ufw <<- "EOF"
#!/bin/bash
while : ; do
choix=$(whiptail --title "Raspbian Proyect HP3ICC Menu UFW Firewall" --menu "Note: DO NOT delete input port 22, you could lose control of your server, output port 53, 5353, 80, 443 are very necessary for communication via internet." 19 88 10 \
1 " Enable Firewall" \
2 " Disable Firewall " \
3 " List Port open  " \
4 " List IP auto reject " \
5 " Add or Remove port ( In, Out or Both ) " \
6 " Protection standard (all port out is open)  " \
7 " Protection strong (only 53,5353,80,443 out open)  " \
8 " Enable Or Disable ICMP Ping  " \
9 " Permit or Deny IP Address  " \
10 " Menu Principal " 3>&1 1>&2 2>&3)
exitstatus=$?
#on recupere ce choix
#exitstatus=$?
if [ $exitstatus = 0 ]; then
    echo "Your chosen option:" $choix
else
    echo "You chose cancel."; break;
fi
# case : action en fonction du choix
case $choix in
1)
sudo ufw enable && sudo systemctl enable ufw && sudo systemctl stop fail2ban.service && sudo systemctl start fail2ban.service && sudo systemctl enable fail2ban.service;;
2)
sudo ufw disable && sudo systemctl disable ufw && sudo systemctl stop fail2ban.service && sudo systemctl disable fail2ban.service;;
3)
ufw status | grep ALLOW >> /tmp/port0.txt && nano /tmp/port0.txt && rm /tmp/port0.txt;;
4)
ufw status | grep REJECT >> /tmp/port0.txt && nano /tmp/port0.txt && rm /tmp/port0.txt;;
5)
sh /bin/auto-ufw.sh ;;
6)
sudo ufw delete allow out to any port 53
sudo ufw delete allow out to any port 5353
sudo ufw delete allow out to any port 80
sudo ufw delete allow out to any port 443
sudo ufw default allow outgoing ;;
7)
sudo ufw allow out to any port 53
sudo ufw allow out to any port 5353
sudo ufw allow out to any port 80
sudo ufw allow out to any port 443 ;;
8)
  while : ; do
    network=$(whiptail --title "ICMP Ping" --menu "Select menu:" 15 60 8 \
      "1" "Disable ICMP Ping" \
      "2" "Enable ICMP Ping" 3>&1 1>&2 2>&3)

    exitstatus=$?

    if [ $exitstatus = 0 ]; then
      case "$network" in
        "1")
          sed -i '/net.ipv4.icmp_echo_ignore_all/d' /etc/sysctl.conf
          if ! grep -q "net.ipv4.icmp_echo_ignore_all = 1" "/etc/sysctl.conf" > /dev/null 2>&1; then
            echo "net.ipv4.icmp_echo_ignore_all = 1" | sudo tee -a /etc/sysctl.conf &&
            sudo sysctl -p
            whiptail --title "Check Port" --msgbox "ICMP Ping is disable" 0 50

          fi
          ;;
        "2")
          sed -i '/net.ipv4.icmp_echo_ignore_all/d' /etc/sysctl.conf
          if ! grep -q "net.ipv4.icmp_echo_ignore_all = 0" "/etc/sysctl.conf" > /dev/null 2>&1; then
            echo "net.ipv4.icmp_echo_ignore_all = 0" | sudo tee -a /etc/sysctl.conf &&
            sudo sysctl -p
            whiptail --title "Check Port" --msgbox "ICMP Ping is Enable" 0 50

          fi
          ;;
          *)
        echo "Invalid selection"
        ;;
      esac
    else
      echo "You chose cancel."
      break
    fi
  done
;;
9)
  while : ; do
    network=$(whiptail --title "IP Address" --menu "Select menu:" 15 60 8 \
      "1" "Deny All trafic IP Address" \
      "2" "Permit All trafic IP Address" \
      "3" "Remove IP Addres" \
      "4" "List IP Black List" \
      "5" "List IP white List" 3>&1 1>&2 2>&3)

    exitstatus=$?

    if [ $exitstatus = 0 ]; then
      case "$network" in
        "1")
          IPCUSTOM=""
              whiptail --title "Deny IP address" --inputbox "ingrese IP :" 10 60 2>/tmp/IPCUSTOM.txt
              exitstatus=$?
    
              if [ $exitstatus != 0 ]; then
               echo "You chose cancel. Exiting..."
               exit 1  # Salir del script con un código de error
              fi
    
              IPCUSTOM=$(cat /tmp/IPCUSTOM.txt)
          sudo ufw deny from $IPCUSTOM
          ;;
        "2")
          IPCUSTOM=""
              whiptail --title "Permit IP Address" --inputbox "ingrese IP:" 10 60 2>/tmp/IPCUSTOM.txt
              exitstatus=$?
    
              if [ $exitstatus != 0 ]; then
               echo "You chose cancel. Exiting..."
               exit 1  # Salir del script con un código de error
              fi
    
              IPCUSTOM=$(cat /tmp/IPCUSTOM.txt)
          sudo ufw allow from $IPCUSTOM
          ;;
        "3")
          IPCUSTOM=""
              whiptail --title "Remove IP Address" --inputbox "ingrese IP :" 10 60 2>/tmp/IPCUSTOM.txt
              exitstatus=$?
    
              if [ $exitstatus != 0 ]; then
               echo "You chose cancel. Exiting..."
               exit 1  # Salir del script con un código de error
              fi
    
              IPCUSTOM=$(cat /tmp/IPCUSTOM.txt)
          rule_number=$(sudo ufw status numbered | grep -E "\s+$IPCUSTOM" | awk -F'[][]' '{print $2}')

          # Verificar si se encontró una regla y eliminarla
          if [ -n "$rule_number" ]; then
            echo "Eliminando la regla número $rule_number que bloquea/permite la IP $IPCUSTOM"
            sudo ufw delete $rule_number
          else
            echo "No se encontró ninguna regla para la IP $IPCUSTOM"
          fi
          ;;
        "4")
          sudo ufw status | grep -E "Anywhere\s+DENY\s+[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" >> /tmp/port0.txt && nano /tmp/port0.txt && rm /tmp/port0.txt
          ;;
        "5")
          sudo ufw status | grep -E "Anywhere\s+ALLOW\s+[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" >> /tmp/port0.txt && nano /tmp/port0.txt && rm /tmp/port0.txt
          ;;
          *)  Anywhere
        echo "Invalid selection"
        ;;
      esac
    else
      echo "You chose cancel."
      break
    fi
  done
;;
10)
break;
esac
done
exit 0


EOF

chmod +x /bin/menu-ufw
ln -sf /bin/menu-ufw /bin/MENU-UFW
chmod +x /bin/MENU*