#!/bin/sh
#
# IPTables (v 1.1.0 & to 1.1.2)
# script written by David Wirch (kuma@opensourcedot.com)
# Usability on v 1.2 is questionable (still testing)
# Debugged by David Bronaugh (dbonaugh@linuxhelp.bc.ca)
# v 2000110101

# Outside Interface (Can be either ppp0 or eth0)
IF0="eth0"
IP0=`ifconfig $IF0 | grep inet | cut -d : -f 2 | cut -d \  -f 1`
MASK=`ifconfig $IF0 | grep Mask | cut -d : -f 4`
LOCALNET="$IP0"
echo "IP: $LOCALNET/$MASK"
# Inside Interface (Can be either eth1 or none)
IF1="eth1"
if [ $IF1 != none ]; then
	LAN="10.0.1.2"
fi
GWIP="10.0.1.1"
# Everyone
WORLD="0/0"

# OPTIONS
EVENT_LOG=yes
MODULES=yes
TOS=yes
ICMP_BLOCK=no

FW="`whereis -b iptables | cut -d \" \" -f 2`"

echo "Starting Firewall..."
##### Flush rules
$FW -F INPUT
$FW -F OUTPUT
$FW -F FORWARD
if [ -n "`iptables -L | grep LOGDROP`" ]; then
	$FW -F LOGDROP
fi
echo "Flushing complete"
##### Event Logging (External feature) will log into /var/log/messages
if [ -n "`lsmod | grep ipt_LOG`" ] || [ $MODULES = no ] && [ $EVENT_LOG = yes ]; then
	if [ -z "`iptables -L | grep LOGDROP`" ]; then
		$FW -N LOGDROP 2>/dev/null
	fi
	$FW -A LOGDROP -p TCP -j LOG --log-level info --log-prefix "TCP Drop "
	$FW -A LOGDROP -p UDP -j LOG --log-level info --log-prefix "UDP Drop "
	$FW -A LOGDROP -p ICMP -j LOG --log-level info --log-prefix "ICMP Drop "
	$FW -A LOGDROP -f -j LOG --log-level emerg --log-prefix "FRAG Drop "
	$FW -A LOGDROP -j DROP
	echo "Event logging added"
else
	echo "Module ipt_LOG not present or logging not requested."
fi
##### Set default policy
# VERY RISKY
# $FW -P INPUT DROP
##### Loopback
$FW -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$FW -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
##### Forwarding and Masq.
if egrep -q "1" /proc/sys/net/ipv4/ip_forward; then
	$FW -P FORWARD ACCEPT
	# Masquerade everything going out eth0.
	$FW -t nat -A POSTROUTING -o $IF0 -s $LAN -j MASQUERADE
	# $FW -t nat -A POSTROUTING -s $LAN -j MASQUERADE
	# $FW -t nat -A POSTROUTING -o $IF0 -j SNAT --to $LOCALNET
	# $FW -t nat -A POSTROUTING -s $WORLD -d $LOCALNET -j SNAT --to $LOCALNET
	# Allow things from eth0 if they are related or established.
	$FW -A FORWARD -s $LAN -d $LAN -j ACCEPT
	$FW -A FORWARD -s $LOCALNET -d $LAN -j ACCEPT
	$FW -A FORWARD -i $IF0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	$FW -A FORWARD -p TCP -s $WORLD --dport 137:139 -j DROP
	$FW -A FORWARD -p UDP -s $WORLD --sport 137:139 -j DROP
	# Allow everything out eth0.
	# $FW -A FORWARD -o $IF0 -j ACCEPT
        $FW -A INPUT -s $LAN -d $WORLD -j ACCEPT
        $FW -A OUTPUT -s $LAN -d $WORLD -j ACCEPT
	# Redirecting (Starting example)
#	# FTP
#	$FW -A PREROUTING -t nat -p TCP -i $IF0 -d $LOCALNET --dport 20 \
#		-j DNAT --to $LAN:20
#	$FW -A PREROUTING -t nat -p TCP -i $IF0 -d $LOCALNET --dport 21 \
#		-j DNAT --to $LAN:21
	# WWW
	$FW -A PREROUTING -t nat -p TCP -d $LOCALNET --dport 80 \
		-j DNAT --to $LAN:80
	$FW -A PREROUTING -t nat -p UDP -d $LOCALNET --dport 80 \
		-j DNAT --to $LAN:80
	$FW -A POSTROUTING -t nat -s $WORLD -d $LOCALNET \
		-p TCP --dport 80 -j SNAT --to $LAN
	$FW -A POSTROUTING -t nat -s $WORLD -d $LOCALNET \
		-p UDP --dport 80 -j SNAT --to $LAN
else    $FW -P FORWARD ACCEPT
fi
##### Access Permissions
# Internal system
if [ $IF1 != none ]; then
	$FW -A INPUT -s $LAN -d $LOCALNET -p TCP --dport 20: -j ACCEPT
	$FW -A INPUT -s $LAN -d $LOCALNET -p UDP --sport 20: -j ACCEPT
fi
$FW -A INPUT -s $LAN -d $GWIP -p TCP --dport 22 -j ACCEPT
$FW -A INPUT -s $LAN -d $GWIP -p UDP --sport 22 -j ACCEPT
##### Denied Permissions
# ##### Everything is logged except these:
$FW -A INPUT -p TCP -s $WORLD --sport 53 -d $LOCALNET -j DROP
# $FW -A INPUT -p TCP -s $WORLD --sport 113 -d $LOCALNET -j ACCEPT
$FW -A INPUT -p TCP -s $WORLD --sport 6666:7000 -d $LOCALNET -j DROP
# @Home Authorized Scanner (gets very annoying if logged)
$FW -A INPUT -s 24.0.0.0/24 -d $LOCALNET -j DROP
##### Upper Ports
# $FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 1023: -j ACCEPT
# $FW -A INPUT -s $WORLD -d $LOCALNET -p UDP --sport 1023: -j ACCEPT
# $FW -A OUTPUT -p TCP -s $WORLD --sport 1023: -d $LOCALNET -j ACCEPT
# $FW -A OUTPUT -p TCP -s $WORLD --sport 1023: -d $LOCALNET -j ACCEPT
# internal
# $FW -A INPUT -s $WORLD -d $LAN -p TCP --sport 1023: -j ACCEPT
# $FW -A INPUT -s $WORLD -d $LAN -p UDP --sport 1023: -j ACCEPT
# Extra (devel)
$FW -A INPUT -m state --state ESTABLISHED -j ACCEPT
# $FW -A OUTPUT -p TCP -s $LAN --syn
$FW -A OUTPUT -p TCP --tcp-flags ALL SYN,ACK -j ACCEPT
#$FW -A OUTPUT -p TCP --syn -j ACCEPT
#$FW -A INPUT -p TCP --syn -j ACCEPT
#$FW -A INPUT -p TCP --syn --dport 0:1023 -j LOGDROP
# Type Of Services: For help, type iptables -m tos -h
if [ $TOS = yes ]; then
	echo "Type Of Services enabled"
	$FW -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
	$FW -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
	$FW -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
	$FW -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
	$FW -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
	$FW -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
	$FW -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos 16
	$FW -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
	# Pre Routing
	$FW -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
	$FW -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
	$FW -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
	$FW -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
	$FW -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
	$FW -t mangle -A PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
	$FW -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos 16
	$FW -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
fi
##### Accepted Services
# FTP
# $FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 20 -j ACCEPT
# $FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 21 -j ACCEPT
# SSH
# $FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 22 -j ACCEPT
# Telnet
# $FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 23 -j ACCEPT
# SMTP
# $FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 25 -j ACCEPT
# DHCP
# $FW -A INPUT -i $IF0 -p udp -s $WORLD -d 255.255.255.255/24 67 -j ACCEPT
# $FW -A OUTPUT -i $IF0 -p udp -s $WORLD -d 255.255.255.255/24 68 -j ACCEPT
# WWW
$FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 80 -j ACCEPT
$FW -A INPUT -s $WORLD -d $LOCALNET -p UDP --dport 80 -j ACCEPT
# POP3
# $FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 110 -j ACCEPT
# Auth/identd
$FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 113 -j ACCEPT
##### Set final rules
$FW -A OUTPUT -s $LOCALNET -d $WORLD -o $IF0 -p ICMP -j ACCEPT
# $FW -A INPUT -j LOGDROP
$FW -A INPUT -p TCP -j DROP
$FW -A INPUT -p UDP -j DROP
$FW -A INPUT -p IGMP -j DROP
$FW -A FORWARD -j DROP
# ICMP
if [ $ICMP_BLOCK = no ]; then
	$FW -A INPUT -p ICMP -i $IF0 -j ACCEPT
        echo "ICMP Blocking disabled"
else    if [ $ICMP_BLOCK = yes ]; then
        $FW -A INPUT -p ICMP -i $IF0 -j LOGDROP
        fi
fi
$FW -A OUTPUT -j ACCEPT
echo -n "Done"
echo ""