Multi_Script/C/proxy_dual.c

/*
 * =====================================================================================
 * PROXY VPN DUAL ULTIMATE - EDICIÓN BARE-METAL V11 (FINAL)
 * Arquitectura: Dual-Stack (IPv4/IPv6) con Multiplexación de Puertos (80/443).
 * Seguridad: Anti-Flood dinámico, Auto-Ban en RAM, Evasión Capa 7 (Fake Web).
 * Optimización: C Nativo (POSIX) con Multihilos Detached y OpenSSL.
 * Compilación: gcc -O3 -o proxy_dual proxy_dual.c -lssl -lcrypto -lpthread
 * =====================================================================================
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <pthread.h>
#include <signal.h>
#include <time.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <errno.h>

// --- CONFIGURACIÓN DE RED ---
#define PORT_TCP 80
#define PORT_TLS 443
#define SSH_HOST "127.0.0.1"
#define SSH_PORT 22
#define BUFLEN 16384
#define MAX_CONNECTIONS 1000

// --- RUTAS DE SISTEMA ---
#define CERT_FILE "/root/cert.pem"
#define KEY_FILE "/root/key.pem"
#define LOG_FILE "/root/proxy-dual-c.log"

// --- CONFIGURACIÓN DE SEGURIDAD (ANTI-FLOOD) ---
#define MAX_TRACKED_IPS 500
#define AUTO_BAN_STRIKES 25  // Conexiones permitidas por segundo
#define BAN_TIME 3600        // 1 Hora de bloqueo

typedef struct {
    char ip[INET6_ADDRSTRLEN];
    time_t last_connect;
    int strikes;
    time_t ban_until;
} ip_record_t;

ip_record_t ip_database[MAX_TRACKED_IPS];
pthread_mutex_t ip_db_mutex = PTHREAD_MUTEX_INITIALIZER;

// --- RESPUESTAS FAKE WEB (CAMUFLAJE) ---
const char *FAKE_WEB_TCP = 
    "HTTP/1.1 400 Bad Request\r\n"
    "Server: nginx/1.24.0\r\n"
    "Content-Type: text/html\r\n"
    "Content-Length: 157\r\n"
    "Connection: close\r\n\r\n"
    "<html>\r\n<head><title>400 Bad Request</title></head>\r\n"
    "<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n"
    "<hr><center>nginx/1.24.0</center>\r\n</body>\r\n</html>\r\n";

const char *FAKE_WEB_TLS = 
    "HTTP/1.1 400 OK\r\n"
    "Server: nginx/1.21.0\r\n"
    "Content-Type: text/html\r\n"
    "Connection: close\r\n\r\n"
    "<html><body><center><h1>400 Bad Request</h1></center></body></html>\r\n";

// --- MENSAJES ROTATIVOS ---
const char *MENSAJES[] = {
    "🚀 CONEXION ESTABLECIDA", "🛡️ CIFRADO MILITAR ACTIVO", "🔋 MODO SIGILO SSL OK",
    "Pfsense", "OPNsense", "VyOS", "Claro", "Altice", "Viva", "Google", "TNSR",
    "🌐 BYPASS FIREWALL OK", "💎 PREMIUM VIP", "⚡ VELOCIDAD MAXIMA"
};
#define NUM_MENSAJES (sizeof(MENSAJES) / sizeof(MENSAJES[0]))
int mensaje_idx = 0;
pthread_mutex_t msg_mutex = PTHREAD_MUTEX_INITIALIZER;

// --- ESTADO GLOBAL ---
int active_connections = 0;
pthread_mutex_t conn_mutex = PTHREAD_MUTEX_INITIALIZER;
pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;

typedef struct {
    int client_fd;
    struct sockaddr_storage addr; 
    int is_tls; 
    SSL_CTX *ssl_ctx;
} client_data_t;

// --- REGISTRO DE EVENTOS (THREAD-SAFE) ---
void write_log(const char *ip, const char *proto, const char *msg) {
    pthread_mutex_lock(&log_mutex);
    FILE *f = fopen(LOG_FILE, "a");
    if (f) {
        time_t now = time(NULL);
        struct tm *t = localtime(&now);
        char ts[64];
        strftime(ts, sizeof(ts), "%Y-%m-%d %H:%M:%S", t);
        
        char clean_ip[INET6_ADDRSTRLEN];
        if (ip && strncmp(ip, "::ffff:", 7) == 0) strcpy(clean_ip, ip + 7);
        else if (ip) strcpy(clean_ip, ip);
        else strcpy(clean_ip, "SISTEMA");

        fprintf(f, "[%s] [%s] [%s] %s\n", ts, proto, clean_ip, msg);
        printf("[%s] [%s] [%s] %s\n", ts, proto, clean_ip, msg);
        fclose(f);
    }
    pthread_mutex_unlock(&log_mutex);
}

// --- MOTOR DE SEGURIDAD ANTI-FLOOD ---
int check_ip_security(const char *ip) {
    pthread_mutex_lock(&ip_db_mutex);
    time_t now = time(NULL);
    int empty_slot = -1;

    for (int i = 0; i < MAX_TRACKED_IPS; i++) {
        if (ip_database[i].ip[0] == '\0') {
            if (empty_slot == -1) empty_slot = i;
            continue;
        }
        if (strcmp(ip_database[i].ip, ip) == 0) {
            if (ip_database[i].ban_until > now) {
                pthread_mutex_unlock(&ip_db_mutex);
                return 0; // Baneado
            }
            if (ip_database[i].last_connect == now) {
                ip_database[i].strikes++;
                if (ip_database[i].strikes > AUTO_BAN_STRIKES) {
                    ip_database[i].ban_until = now + BAN_TIME;
                    pthread_mutex_unlock(&ip_db_mutex);
                    return -1; // Nuevo Ban
                }
            } else {
                ip_database[i].strikes = 1;
                ip_database[i].last_connect = now;
            }
            pthread_mutex_unlock(&ip_db_mutex);
            return 1;
        }
    }
    
    if (empty_slot != -1) {
        strcpy(ip_database[empty_slot].ip, ip);
        ip_database[empty_slot].last_connect = now;
        ip_database[empty_slot].strikes = 1;
        ip_database[empty_slot].ban_until = 0;
    }
    pthread_mutex_unlock(&ip_db_mutex);
    return 1;
}

// --- CONFIGURACIÓN OPENSSL ---
SSL_CTX *init_ssl_context() {
    SSL_library_init();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();
    SSL_CTX *ctx = SSL_CTX_new(TLS_server_method());
    if (!ctx) return NULL;
    if (SSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM) <= 0 ||
        SSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, SSL_FILETYPE_PEM) <= 0) {
        return NULL;
    }
    return ctx;
}

// --- CREACIÓN DE SOCKET DUAL-STACK (IPv4/IPv6) ---
int create_dual_socket(int port) {
    int s = socket(AF_INET6, SOCK_STREAM, 0);
    if (s < 0) return -1;
    
    int opt = 1;
    setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
    
    // Desactivar IPV6_V6ONLY para escuchar IPv4 simultáneamente
    int no = 0;
    setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &no, sizeof(no));

    struct sockaddr_in6 addr;
    memset(&addr, 0, sizeof(addr));
    addr.sin6_family = AF_INET6;
    addr.sin6_addr = in6addr_any;
    addr.sin6_port = htons(port);

    if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
        close(s); return -1;
    }
    listen(s, 512);
    return s;
}

// --- MANEJADOR DE CONEXIÓN (HILO TRABAJADOR) ---
void *connection_worker(void *arg) {
    client_data_t *data = (client_data_t *)arg;
    int client_fd = data->client_fd;
    int is_tls = data->is_tls;
    SSL_CTX *ssl_ctx = data->ssl_ctx;

    char ip_str[INET6_ADDRSTRLEN];
    if (data->addr.ss_family == AF_INET) {
        struct sockaddr_in *s = (struct sockaddr_in *)&data->addr;
        inet_ntop(AF_INET, &s->sin_addr, ip_str, sizeof(ip_str));
    } else {
        struct sockaddr_in6 *s = (struct sockaddr_in6 *)&data->addr;
        inet_ntop(AF_INET6, &s->sin6_addr, ip_str, sizeof(ip_str));
    }
    free(data);

    const char *proto = is_tls ? "TLS" : "TCP";

    // 1. Seguridad Anti-Flood
    int sec = check_ip_security(ip_str);
    if (sec <= 0) {
        if (sec == -1) write_log(ip_str, proto, "⛔ IP Bloqueada por Flood.");
        close(client_fd);
        pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
        return NULL;
    }

    SSL *ssl = NULL;
    if (is_tls) {
        ssl = SSL_new(ssl_ctx);
        SSL_set_fd(ssl, client_fd);
        if (SSL_accept(ssl) <= 0) {
            SSL_free(ssl); close(client_fd);
            pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
            return NULL;
        }
    }

    // 2. Lectura con protección para NetMod (SSL_pending + select)
    char buffer[BUFLEN];
    int bytes = 0;
    fd_set rset; FD_ZERO(&rset); FD_SET(client_fd, &rset);
    struct timeval tv = {3, 0};

    int has_ssl_data = (is_tls) ? SSL_pending(ssl) : 0;
    if (has_ssl_data > 0 || select(client_fd + 1, &rset, NULL, NULL, &tv) > 0) {
        if (is_tls) bytes = SSL_read(ssl, buffer, sizeof(buffer) - 1);
        else bytes = recv(client_fd, buffer, sizeof(buffer) - 1, 0);
    }

    int target_fd = -1;
    long tx = 0, rx = 0;

    if (bytes > 0) {
        buffer[bytes] = '\0';
        
        // Conectar al SSH local
        struct sockaddr_in ssh_addr;
        target_fd = socket(AF_INET, SOCK_STREAM, 0);
        ssh_addr.sin_family = AF_INET;
        ssh_addr.sin_port = htons(SSH_PORT);
        inet_pton(AF_INET, SSH_HOST, &ssh_addr.sin_addr);

        if (connect(target_fd, (struct sockaddr *)&ssh_addr, sizeof(ssh_addr)) < 0) goto end;

        // Lógica de Enrutamiento L7
        if (strncmp(buffer, "SSH-", 4) == 0) {
            write_log(ip_str, proto, "✅ SSH Directo Detectado");
            send(target_fd, buffer, bytes, 0);
        } else if (strstr(buffer, "HTTP/") && !strstr(buffer, "Upgrade: websocket")) {
            write_log(ip_str, proto, "🕵️ Escáner HTTP. Fake Web enviada.");
            if (is_tls) SSL_write(ssl, FAKE_WEB_TLS, strlen(FAKE_WEB_TLS));
            else send(client_fd, FAKE_WEB_TCP, strlen(FAKE_WEB_TCP), 0);
            goto end;
        } else {
            // Inyector VPN (WebSocket)
            pthread_mutex_lock(&msg_mutex);
            const char *msg_rot = MENSAJES[mensaje_idx];
            mensaje_idx = (mensaje_idx + 1) % NUM_MENSAJES;
            pthread_mutex_unlock(&msg_mutex);

            char resp[2048];
            snprintf(resp, sizeof(resp),
                "HTTP/1.1 101 %s\r\n"
                "Server: nginx/1.24.0\r\n"
                "X-Forwarded-For: 127.0.0.1\r\n"
                "Content-Type: text/html; charset=UTF-8\r\n"
                "Proxy-Connection: keep-alive\r\n"
                "Cache-Control: no-cache\r\n"
                "X-Proxy-Agent: Gemini-Ultra-Dual-C-V11\r\n"
                "Connection: Upgrade\r\n"
                "Upgrade: websocket\r\n\r\n", msg_rot);
            
            if (is_tls) SSL_write(ssl, resp, strlen(resp));
            else send(client_fd, resp, strlen(resp), 0);
            
            write_log(ip_str, proto, "✅ Túnel Inyectado OK");
        }
    } else {
        // NetMod Silencioso
        struct sockaddr_in ssh_addr;
        target_fd = socket(AF_INET, SOCK_STREAM, 0);
        ssh_addr.sin_family = AF_INET;
        ssh_addr.sin_port = htons(SSH_PORT);
        inet_pton(AF_INET, SSH_HOST, &ssh_addr.sin_addr);
        if (connect(target_fd, (struct sockaddr *)&ssh_addr, sizeof(ssh_addr)) == 0) {
            write_log(ip_str, proto, "✅ Túnel Silencioso (Stunnel) OK");
        } else goto end;
    }

    // 3. Puente de Datos (Tunneling)
    int max_fd = (client_fd > target_fd) ? client_fd : target_fd;
    while (1) {
        fd_set fds; FD_ZERO(&fds); FD_SET(client_fd, &fds); FD_SET(target_fd, &fds);
        struct timeval sel_tv = {300, 0};
        
        int pending = (is_tls) ? SSL_pending(ssl) : 0;
        if (pending == 0) {
            if (select(max_fd + 1, &fds, NULL, NULL, &sel_tv) <= 0) break;
        }

        if (pending > 0 || FD_ISSET(client_fd, &fds)) {
            int r = (is_tls) ? SSL_read(ssl, buffer, BUFLEN) : recv(client_fd, buffer, BUFLEN, 0);
            if (r <= 0) break;
            send(target_fd, buffer, r, 0);
            rx += r;
        }
        if (FD_ISSET(target_fd, &fds)) {
            int r = recv(target_fd, buffer, BUFLEN, 0);
            if (r <= 0) break;
            if (is_tls) SSL_write(ssl, buffer, r);
            else send(client_fd, buffer, r, 0);
            tx += r;
        }
    }

end:
    if (target_fd != -1) close(target_fd);
    if (is_tls) { SSL_shutdown(ssl); SSL_free(ssl); }
    close(client_fd);
    
    double mb = (double)(tx + rx) / (1024.0 * 1024.0);
    if (mb > 0.05) {
        char stat[128]; snprintf(stat, sizeof(stat), "[*] Cierre Sesión. Tráfico: %.2f MB", mb);
        write_log(ip_str, proto, stat);
    }

    pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
    return NULL;
}

// --- HILO MAESTRO ---
int main(int argc, char **argv) {
    // Ignorar SIGPIPE para evitar crasheos por desconexiones bruscas
    signal(SIGPIPE, SIG_IGN);
    memset(ip_database, 0, sizeof(ip_database));

    SSL_CTX *ssl_ctx = init_ssl_context();
    int s_tcp = create_dual_socket(PORT_TCP);
    int s_tls = create_dual_socket(PORT_TLS);

    if (s_tcp < 0 || s_tls < 0) {
        fprintf(stderr, "Error al abrir los puertos. Revisa que no estén usados.\n");
        exit(1);
    }

    write_log(NULL, "SISTEMA", "=========================================================");
    write_log(NULL, "SISTEMA", "🚀 PROXY DUAL ULTIMATE V11 (C) - BARE-METAL");
    write_log(NULL, "SISTEMA", "🛡️  Dual-Stack (v4/v6) | Anti-Flood (25/s) | OpenSSL Fix");
    write_log(NULL, "SISTEMA", "=========================================================");

    int max_fd = (s_tcp > s_tls) ? s_tcp : s_tls;

    while (1) {
        fd_set master; FD_ZERO(&master); FD_SET(s_tcp, &master); FD_SET(s_tls, &master);
        if (select(max_fd + 1, &master, NULL, NULL, NULL) < 0) continue;

        int active_s = FD_ISSET(s_tcp, &master) ? s_tcp : s_tls;
        int is_tls = (active_s == s_tls);

        struct sockaddr_storage client_addr;
        socklen_t addr_len = sizeof(client_addr);
        int client_fd = accept(active_s, (struct sockaddr *)&client_addr, &addr_len);

        if (client_fd < 0) continue;

        pthread_mutex_lock(&conn_mutex);
        if (active_connections >= MAX_CONNECTIONS) {
            pthread_mutex_unlock(&conn_mutex); close(client_fd); continue;
        }
        active_connections++;
        pthread_mutex_unlock(&conn_mutex);

        client_data_t *d = malloc(sizeof(client_data_t));
        d->client_fd = client_fd; d->addr = client_addr; d->is_tls = is_tls; d->ssl_ctx = ssl_ctx;

        pthread_t tid;
        pthread_attr_t attr; pthread_attr_init(&attr);
        pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
        
        if (pthread_create(&tid, &attr, connection_worker, d) != 0) {
            close(client_fd); free(d);
            pthread_mutex_lock(&conn_mutex); active_connections--; pthread_mutex_unlock(&conn_mutex);
        }
        pthread_attr_destroy(&attr);
    }

    return 0;
}