#!/bin/sh
#			Prayishtar
#	 http://freaknet.org/alpt/src/utils/prayishtar
#
# prayishtar: forwards all your Internet traffic over two secure SSH tunnels
#	      or in other words: How to reach the Internet anonymously from a 
#	      hostile network
#
#    ** Requirements **
# You need two trusted SSH servers, one with a BIG BIG upload
# bandwidth and another normal one. We call the former `bigbwhost' and the
# latter `myhome'.
# You also need OpenSSH >= 4.3 on bost this localhost and on `myhome'
# Be sure also to have the support for /dev/tun, iptables and LARTC.
# 
#   ** This is what we do **
# We forward all of our Internet traffic trough a SSH vpn created with
# `myhome' and we use `bigbwhost' as a SSH proxy for applications which require
# a big bandwidth (like browsers):
#
# 	All outgoing Internet traffic -> SSH VPN -> myhome -> INTERNET
#
#	All outgoing http traffic -> SSH SOCKS proxy -> bigbwhost -> INTERNET
# 
#   ** TODO **
# Use Tor to create the SSH connections
#
#   ** Usage **
# The first command:
# 	  # prayishtar  myhomehost bigbwhost bighostuser
# f.e.:
#	  # prayishtar home.dyndns.org mybigserver.org foo
#
# You can also configure directly this script and launch it with no arguments:
#	  # prayishtar
# 
# 2)
#   In the browser we set a localhost:8080 SOCKS proxy, then leave the rest
#   untouched.
# 
# 3) You are done! Cryptolized trough SSH juicy tunnels. Even you dns query
#    will be in this way "<awpivn]3qaw0erv2oipa9ysrbvpq[][023-402v"
#
# 4) Enjoy ^_^
#
#
# PS: use "prayishtar stop" to clean the mess created by this script.
#
#
# AlpT (@freaknet.org)
#


########### CONFIGURE HERE ################
myhome=""
bigbwhost=""
bighostuser=""

tuniphome=10.0.0.2
tuniplocal=10.0.0.3
tunipnet="10.0.0.0/8"
########### CONFIGURE HERE ################


die()
{
	echo "$@"
	rm -f /tmp/prayishtar_default_gw
	exit 1
}

if test "$1" = "clean" -o "$1" = "stop"
then
	ip rule del lookup 213
	iptables -D POSTROUTING -t nat -j MASQUERADE -o ! lo
	iptables -D OUTPUT -t mangle -p tcp --dport 22 -j MARK --set-mark 0x71
	ip route del $tunipnet dev tun2 proto kernel  scope link  src $tuniplocal
	ip route del default 
	ip route del default table 213
	ip route replace $(< /tmp/prayishtar_default_gw)
	exit 
fi

if ! test -z "$1"
then
	myhome="$1"
fi

if ! test -z "$2"
then
	bigbwhost="$2"
fi
if ! test -z "$3"
then
	bighostuser="$3"
fi

if test $(id -u) != 0
then
	echo "Root privileges needed."
	echo "Get them."
	exit 1
fi

echo "Using myhome=$myhome and bigbwhost=$bighostuser@$bigbwhost"
if test -z "$myhome" -o -z "$bigbwhost" -o -z "$bighostuser"
then
	echo ""
	echo "[!] Please configure this script ( \"$0\" )"
	exit 1
fi

homeip=`host $myhome | cut -d ' ' -f 4`
bigbwhostip=`host $bigbwhost | cut -d ' ' -f 4`
myinsecuregw=`ip route | grep default | cut -d ' ' -f 3`

echo ""

echo "Opening ssh tunnel"
modprobe tun
remotecmd="modprobe tun; sleep 1; ifconfig tun2 $tuniphome"
remotecmd="$remotecmd; iptables -A POSTROUTING -t nat -j MASQUERADE -o ! lo"
remotecmd="$remotecmd; ip route replace $tunipnet dev tun2 proto kernel  scope link  src $tuniphome"
ssh -fnw 2:2 $myhome "$remotecmd" || die "Could not set up the SSH vpn"
sleep 1
ifconfig tun2 $tuniplocal

echo "Setting routes"
ip route replace $tunipnet dev tun2 proto kernel  scope link  src $tuniplocal
ip route | grep default | line > /tmp/prayishtar_default_gw
ip route del default 
ip route replace default via $tuniphome dev tun2

echo "Setting iptables"
# Do not send ssh traffic over the ssh tunnel ;)
iptables -A POSTROUTING -t nat -j MASQUERADE -o ! lo
iptables -A OUTPUT -t mangle -p tcp --dport 22 -j MARK --set-mark 0x71
ip rule add from all fwmark 0x71 lookup 213
ip route replace default via $myinsecuregw table 213 || die "Could not set default route"

echo "Remember to set the localhost:8080 SOCKS proxy in your browser"
echo ""
echo "Creating SOCKS to $bighostuser@$bigbwhost"
ssh -fnN $bigbwhostip -D 8080 -l $bighostuser || die "Could not set up the SOCKS proxy"

echo ""
echo "All done!"