#!/bin/sh
INTERFACE=$1
DEVICE=$2
SPEED=$3
LOCALIP=$4
REMOTEIP=$5
LOGDEVICE=$6

IPMASQADM=/usr/sbin/ipmasqadm
IPCHAINS=/sbin/ipchains
IPTABLES=/sbin/iptables
ROUTE=/sbin/route
IPCHECK=/etc/ppp/ipcheck.py

ANYWHERE=0.0.0.0/0
LOOPBACK=127.0.0.0/8
LOCALHOST=127.0.0.1/32
DHCPFIX=255.255.255.255

DENY=DENY
DUMP=/etc/ppp/fire.log

# Network configuration
# support for DHCPD
DHCPD=yes
LOCALNET=192.168.0.0/16
#added extra option to be more strict in firewall rules
LOCALNETS="192.168.100.100/24 192.168.10.10/24 192.168.1.1/24"
# The names of your local interfaces
LOCALINTERFACES="eth0 eth1 eth2"

#allow certain ports to be accessed from the outside,
#the change the last rule into 1024:65535 if you want to use the gateway itself to access the internet directly
# because linux sees every port above 1023 as 'free to use'.. it's bad practice to work as root :)
# these are the ports in my kernel formasquerading:
#./net/ip_masq.h:27:#define PORT_MASQ_BEGIN 61000
#./net/ip_masq.h:28:#define PORT_MASQ_END (PORT_MASQ_BEGIN+4096)
#so for extra safety, i've got all my ports blocked, except the masq ports: 61000:65096, but hey i'm a nerd
#small list with common used servers:
#ftp : TCP 20 21
#telnet : TCP 23
#DNS : TCP 53 and(!) UDP 53 if the information returned from a dns is more than 500 bytes it switches over to tcp
#WWW : TCP 80
#IDENT : TCP 113
ALLOW_TCP_PORTS='113 1024:5000 61000:65096'
ALLOW_UDP_PORTS='1024:5000 27501 61000:65096'
BLOCK_SYN_PORTS='1024:60999' #61000:65096
ALLOW_ICMP_TYPES='echo-reply destination-unreachable redirect time-exceeded'

local_21 ()
{
$IPCHAINS -P input ACCEPT 2>&1 >> $DUMP
$IPCHAINS -P output ACCEPT 2>&1 >> $DUMP
$IPCHAINS -P forward ACCEPT 2>&1 >> $DUMP
$IPCHAINS --flush
# $IPMASQADM portfw -f
for locali in $LOCALINTERFACES
do
$IPCHAINS -A input --source $LOCALNET --destination $ANYWHERE --interface $locali -j ACCEPT 2>&1 >> $DUMP
$IPCHAINS -A output --source $ANYWHERE --destination $LOCALNET --interface $locali -j ACCEPT 2>&1 >> $DUMP
$IPCHAINS -A forward --source $LOCALNET --destination $LOCALNET --interface $locali -j ACCEPT 2>&1 >> $DUMP
if [ $DHCPD = "yes" ] ; then
# add host route for dhcpd, not needed for kernels > 2.1 ?
# if [ -z "$( $ROUTE | awk ' { print $1 " " $8 } ' | grep $locali | grep $DHCPFIX)" ] ; then
$ROUTE add -host $DHCPFIX $locali 2>&1 >> $DUMP
# fi
fi
done
$IPCHAINS -A input --source $ANYWHERE --destination $ANYWHERE --interface lo -j ACCEPT 2>&1 >> $DUMP
$IPCHAINS -A output --source $ANYWHERE --destination $ANYWHERE --interface lo -j ACCEPT 2>&1 >> $DUMP

$IPCHAINS -A output --source $LOCALNET --destination $ANYWHERE --interface $INTERFACE -j ACCEPT
$IPCHAINS -A input --source $LOCALNET --destination $ANYWHERE --interface $INTERFACE -j ACCEPT
$IPCHAINS -A forward --source $LOCALNET --destination $ANYWHERE --interface $INTERFACE -j MASQ

$IPCHAINS -A input --source $ANYWHERE --destination $ANYWHERE -l -j $DENY
$IPCHAINS -A output --source $ANYWHERE --destination $ANYWHERE -l -j $DENY
$IPCHAINS -A forward --source $ANYWHERE --destination $ANYWHERE -l -j $DENY

$IPCHAINS -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10 #minimal delay
$IPCHAINS -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10 #minimal delay
$IPCHAINS -A output -p udp -d 0.0.0.0/0 -t 0x01 0x10 #minimal delay
$IPCHAINS -A output -p tcp -d 0.0.0.0/0 ftp-data -t 0x01 0x08 #maximal through
$IPCHAINS -A output -p tcp -d 0.0.0.0/0 http -t 0x01 0x08 #maximal through
# $IPCHAINS -A output -p tcp -d 0.0.0.0/0 snmp -t 0x01 0x04 #maximal reli

$IPCHAINS -P input $DENY
$IPCHAINS -P output $DENY
$IPCHAINS -P forward $DENY
}

inet_21 ()
{
$IPCHAINS -I output 1 -s $LOCALIP/32 -d $ANYWHERE -i $INTERFACE -j ACCEPT
$IPCHAINS -I input 1 -s $LOCALNET -d $ANYWHERE -i $INTERFACE -l -j $DENY
# $IPCHAINS -I input 1 -i $INTERFACE -s $ANYWHERE -d 224.0.0.1/32 -j ACCEPT

for ports in $BLOCK_SYN_PORTS
do
$IPCHAINS -I input 2 -p tcp -y -i $INTERFACE -s $ANYWHERE -d $LOCALIP/32 $ports -l -j $DENY
done
for ports in $ALLOW_TCP_PORTS
do
$IPCHAINS -I input 3 -p tcp -i $INTERFACE -s $ANYWHERE -d $LOCALIP/32 $ports -j ACCEPT
done
for ports in $ALLOW_UDP_PORTS
do
$IPCHAINS -I input 4 -p udp -i $INTERFACE -s $ANYWHERE -d $LOCALIP/32 $ports -j ACCEPT
done
for types in $ALLOW_ICMP_TYPES
do
$IPCHAINS -I input 5 -p icmp -i $INTERFACE -s $ANYWHERE -d $LOCALIP/32 --icmp-type $types -j ACCEPT
done
$IPCHAINS -I output 2 -i $INTERFACE -s $ANYWHERE -d $LOCALNET -l -j $DENY 2>&1 >> $DUMP
$IPCHAINS -I output 3 -i $INTERFACE -s $LOCALNET -d $ANYWHERE -l -j $DENY 2>&1 >> $DUMP
$IPCHAINS -I output 4 -i $INTERFACE -s $ANYWHERE -d $LOCALNET -l -j $DENY 2>&1 >> $DUMP
$IPCHAINS -I forward 1 -i $INTERFACE -s $LOCALNET -d $ANYWHERE -j MASQ 2>&1 >> $DUMP
#$IPCHAINS -I forward 2 -i $INTERFACE -s $LOCALHOST -d $ANYWHERE -j MASQ 2>&1 >> $DUMP

$IPCHAINS -D input --source $ANYWHERE --destination $ANYWHERE -l -j $DENY
$IPCHAINS -D output --source $ANYWHERE --destination $ANYWHERE -l -j $DENY
$IPCHAINS -D forward --source $ANYWHERE --destination $ANYWHERE -l -j $DENY

# $IPMASQADM portfw -a -P tcp -L $LOCALIP 4444 -R 192.168.10.1 4444
# $IPMASQADM portfw -a -P tcp -L $LOCALIP 20 -R 192.168.10.1 20
# $IPMASQADM portfw -a -P tcp -L $LOCALIP 21 -R 192.168.10.1 21


}
echo 1 > /proc/sys/net/ipv4/ip_forward
# if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
# echo Setting ip Dyna ip >> $DUMP
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo "Setting up IP spoofing protection with rp_filter." >> $DUMP
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
else
echo "Problem setting reverse spoofing detection." >> $DUMP
fi
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Setting tcp_syncookies support." >> $DUMP
else
echo "No tcp_syncookies support!" >> $DUMP
fi
#startup ip firewalling by allow everything & flushing all rules
if [ $DHCPD = "yes" ] ; then
echo "DHCPD support enabled." >> $DUMP
DHCPD='yes'
else
echo "DHCPD support disabled." >> $DUMP
fi

$IPCHAINS -P input ACCEPT
$IPCHAINS -P output ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS --flush
local_21
inet_21

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).

#modprobe iptable_nat
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward