#!/bin/sh
#
#   /etc/init.d/firewall: start or stop firewalling
#

MAINIF=eth0

PATH=/bin:/sbin:/usr/bin:/usr/sbin

IPT="iptables"
for p in /usr/local/sbin /usr/sbin /sbin /usr/local/bin /usr/bin /bin ; do
        [ -x "$p/iptables" ] && IPT="$p/iptables"
done
[ -x "$IPT" ] || exit 0


OUTADDR=`ifconfig $MAINIF|perl -ne '/inet addr:(\S+)/ and print $1'`
if [ -z "$OUTADDR" ] ; then
	echo "Couldn't determine IP address for $MAINIF -- " \
		"is the interface active?"
	exit
fi
BCAST=`ifconfig eth0|perl -ne '/bcast:(\S+)/i and print $1'`
LOCALNET="10.0.0.0/24"

start_fw()
{
	# enable the kernel's spoof protection
	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A INPUT -p tcp -m state --state NEW \
		-m limit --limit 1/sec --limit-burst 5 \
		--dport ssh -j ACCEPT
	$IPT -A INPUT -m state --state NEW -i ppp0 -j REJECT


	# ICMP
	$IPT -A INPUT -m limit --limit 4/sec --limit-burst 10 \
		-p icmp -j ACCEPT

	# throw out contextually invalid packets
	$IPT -A INPUT -m state --state INVALID -j REJECT

	# accept packets on established connects, or those related thereto
	$IPT -A INPUT -m state --state ESTABLISHED -j ACCEPT
	$IPT -A INPUT -m state --state RELATED -j ACCEPT

	# ICQ
	$IPT -A INPUT -p tcp --dport 4000:4004 -j ACCEPT

	# optional: allow incoming smtp connects (mailservers)
	$IPT -A INPUT -i eth0 \
		-s $LOCALNET -p tcp --dport smtp -j ACCEPT
	# optional: allow incoming DNS queries (DNS servers)
	$IPT -A INPUT -s $LOCALNET -i eth0 -p udp --dport domain -j ACCEPT
	# optional: allow incoming NTP queries (NTP timeservers)
	$IPT -A INPUT -s $LOCALNET -i eth0 -p udp --dport ntp -j ACCEPT

	# web proxy
	$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport 3128 -j ACCEPT
	$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport 8080 -j ACCEPT

	# NFS
	$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport 2049 -j ACCEPT
	$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport sunrpc -j ACCEPT
	$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport 745 -j ACCEPT
	$IPT -A INPUT -s $LOCALNET -i eth0 -p udp -j ACCEPT

	# lpt
	$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport printer -j ACCEPT

	# samba
	$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport 137:139 -j ACCEPT
	$IPT -A INPUT -s $LOCALNET -i eth0 -p udp --dport 137:139 -j ACCEPT

	# netatalk
	$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport afpovertcp -j ACCEPT

	# log and reject everything else.
	#$IPT -A INPUT -m limit --limit 60/minute --limit-burst=120 \
		#-j LOG --log-prefix "input firewall "
	$IPT -A INPUT -j REJECT

	# masq/NAT setup
	$IPT -t nat -A POSTROUTING -s $LOCALNET -o ppp0 -j MASQUERADE
	$IPT -P FORWARD DROP
	$IPT -A FORWARD -i ppp0 -o eth0 -d $LOCALNET -j ACCEPT
	$IPT -A FORWARD -i eth0 -s $LOCALNET -o ppp0 -j ACCEPT
	$IPT -A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "bad masq "

}

stop_fw()
{
	for ch in INPUT OUTPUT FORWARD ; do
		$IPT -F $ch
		$IPT -Z $ch
	done
	for ch in POSTROUTING ; do
		$IPT -t nat -F $ch
		$IPT -t nat -Z $ch
	done
}

case "$1" in
	start)
		echo -n "Starting iptables firewalling: "
		start_fw
		echo done
		;;
	stop)
		echo -n "Clearing iptables firewalls: "
		stop_fw
		echo done
		;;
	restart|reload|force-reload)
		$0 stop
		$0 start
		;;
	*)
		echo "Usage: $0 {start|stop|restart|reload|force-reload}"
		exit 1
		;;
esac

exit 0