#!/bin/sh
# Script to control the firewall and packet filtering.

# Source function library.
. /etc/rc.d/init.d/functions

PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH

# If no rules, do nothing.
# [ -f /etc/ipchains.rules ] || exit 0

    case "$1" in
        start|restart)

/sbin/modprobe -k ip_masq_ftp
#/sbin/modprobe -k ip_masq_raudio
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960

echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag

#for static ip address uncoment the following:
extip="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#extip="123.23.23.23"
extint="ppp0"
dialdint="tap0"
echo $extip

intint="eth0"
intnet="192.168.0.0/24"

# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
ipchains -M -S 7200 10 60

#############################################################################
# Incoming, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F input
#ipchains -P input REJECT
ipchains -P input DENY

# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -i $dialdint -s $intnet -d 0.0.0.0/0 -l -j REJECT

ipchains -A input -i $dialdint -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#DNS qerry
ipchains -A input -i $extint -p UDP -s 0.0.0.0/0 53:53 -j ACCEPT
ipchains -A input -i $dialdint -p UDP -s 0.0.0.0/0 53:53 -j ACCEPT
#ipchains -A input -i $extint -p UDP -d $extip 53:53 -j ACCEPT

#HTTP ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 80:80 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -s 0.0.0.0/0 80:80 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 80:80 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -d $extip 80:80 -j ACCEPT
#HTTP -secure- ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 443:443 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -s 0.0.0.0/0 443:443 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 443:443 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -d $extip 443:443 -j ACCEPT
#FTP ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 20:21 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -s 0.0.0.0/0 20:21 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 20:21 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -d $extip 20:21 -j ACCEPT
#mail ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 110:110 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -s 0.0.0.0/0 110:110 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 110:110 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -d $extip 110:110 -j ACCEPT

#identd
#ipchains -A input -i $extint -p TCP -d $extip 113:113 -s 193.231.208.23 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 113:113 -s 0.0.0.0/0 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -d $extip 113:113 -s 0.0.0.0/0 -j ACCEPT
#ipchains -A input -i $extint -p TCP -d $extip 113:113 -j -l REJECT

#SMTP ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 25:25 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -s 0.0.0.0/0 25:25 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 25:25 -j ACCEPT
ipchains -A input -i $dialdint -p TCP -d $extip 25:25 -j ACCEPT

#other 0:1023 ports closed
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $dialdint -p TCP -s 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $extint -p UDP -s 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $dialdint -p UDP -s 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $extint -p TCP -d 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $dialdint -p TCP -d 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $extint -p UDP -d 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $dialdint -p UDP -d 0.0.0.0/0 0:1023 -l -j DENY

# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
ipchains -A input -i $dialdint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT

# loopback interface is valid.
#
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT  

#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F output 
ipchains -P output REJECT

# local interface, any source going to local net is valid
#
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT 
ipchains -A output -i $dialdint -s 0.0.0.0/0 -d $intnet -l -j REJECT 

# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
ipchains -A output -i $dialdint -s $intnet -d 0.0.0.0/0 -l -j REJECT

# anything else outgoing on remote interface is valid
#
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT 
ipchains -A output -i $dialdint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT 

# loopback interface is valid.
#
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

#DNS qUerry
ipchains -A output -i $extint -p UDP -s $extip 53:53 -j ACCEPT
ipchains -A output -i $dialdint -p UDP -s $extip 53:53 -j ACCEPT
ipchains -A output -i $extint -p UDP -d 0.0.0.0/0 53:53 -j ACCEPT
ipchains -A output -i $dialdint -p UDP -d 0.0.0.0/0 53:53 -j ACCEPT
ipchains -A output -i $intint -p UDP -s $intnet 53:53 -j ACCEPT
ipchains -A output -i $intint -p UDP -d 0.0.0.0/0 53:53 -j ACCEPT
#HTTP ch
ipchains -A output -i $extint -p TCP -s $extip 80:80 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -s $extip 80:80 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 80:80 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -d 0.0.0.0/0 80:80 -j ACCEPT
#FTP ch
ipchains -A output -i $extint -p TCP -s $extip 20:21 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -s $extip 20:21 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 20:21 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -d 0.0.0.0/0 20:21 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 20:21 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -d 0.0.0.0/0 20:21 -j ACCEPT

#mail ch
ipchains -A output -i $extint -p TCP -s $extip 110:110 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -s $extip 110:110 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 110:110 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -d 0.0.0.0/0 110:110 -j ACCEPT

#identd
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 113:113 -l -j REJECT
ipchains -A output -i $dialdint -p TCP -d 0.0.0.0/0 113:113 -l -j REJECT

#SMTP ch
ipchains -A output -i $extint -p TCP -s $extip 25:25 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -s $extip 25:25 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 25:25 -j ACCEPT
ipchains -A output -i $dialdint -p TCP -d 0.0.0.0/0 25:25 -j ACCEPT

#other 0:1023 ports closed
ipchains -A output -i $extint -p TCP -s 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $dialdint -p TCP -s 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $extint -p UDP -s 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $dialdint -p UDP -s 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $dialdint -p TCP -d 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $extint -p UDP -d 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $dialdint -p UDP -d 0.0.0.0/0 0:1023 -l -j REJECT

# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT

#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F forward
ipchains -P forward DENY

# Masquerade from local net on local interface to anywhere.
#
#ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
#ipchains -A forward -i $dialdint -s $intnet -d 0.0.0.0/0 -j MASQ

#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# for no diald uncomment this
#ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY

# for diald interface
ipchains -A forward -j MASQ -s $intnet 
ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0

#ipchains -A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -l -j MASQ -m 10000
#ipchains -A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -l -j ACCEPT -f
#ipchains -A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j fwd
#ipchains -A fwd -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ -m 10001

exit 0
            ;;
        stop)
            echo -n "Turning off packet filtering:"
            echo 0 > /proc/sys/net/ipv4/ip_forward
            /sbin/ipchains -X
            /sbin/ipchains -F
            /sbin/ipchains -P input ACCEPT
            /sbin/ipchains -P output ACCEPT
            /sbin/ipchains -P forward ACCEPT
	    /sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 -d 192.168.0.4/255.255.255.255
	    /sbin/ipchains -A output -s 192.168.0.4/255.255.255.255 -d 0.0.0.0/0.0.0.0
            echo "."
	    exit 0
            ;;
	
        status)
	    echo "Firewall settings:"
	    /sbin/ipchains-save
	     exit 0
	    ;;

        *)
            echo "Usage: firewall {start|stop|status|restart}"
            exit 1
            ;;
    esac

    exit 0
