#!/bin/sh
INTERFACE=$1
#DEVICE=$2
#SPEED=$3
LOCALIP=$4

IPTABLES=/sbin/iptables
IPCHECK=/etc/ppp/ipcheck.py
DUMP=/etc/ppp/fire.log
BLOCK=block

ALLOW_TCP_PORTS='ftp-data ftp sftp ssh smtp smtps http https auth pop3s'
ALLOW_UDP_PORTS=''
FORWARD_PORTS='192.168.0.1:4444'
#PROXY_PORTS='194.109.10.3:8080:http,20,21,https'

ALLOW_ICMP_TYPES='echo-reply destination-unreachable redirect time-exceeded'
MIN_DELAY='telnet ssh ftp auth'
MAX_THROUGH='ftp-data http https pop3 smtp'

if [ "$LOCALIP" == "" ]; then
LOCALIP=`ifconfig eth1 | grep "inet addr" | tr ':' ' ' | awk '{print $3}'`
echo $LOCALIP generated from device
fi

#load interface defaults
if [ -f /etc/sysconfig/network-scripts/ifcfg-fire.$INTERFACE ] ; then
/etc/sysconfig/network-scripts/ifcfg-fire.$INTERFACE 2>&1 | logger
else
echo no config file found, exit stage right
exit 0
fi

if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo Setting ip Dyna ip 2>&1 | logger
echo 1 > /proc/sys/net/ipv4/ip_dynaddr 2>&1 | logger
fi

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo "Setting up IP spoofing protection with rp_filter." 2>&1 | logger
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f 2>&1 | logger
done
else
echo "Problem setting reverse spoofing detection." 2>&1 | logger
fi

if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then 
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2>&1 | logger
echo "Setting tcp_syncookies support." 2>&1 | logger
else
echo "No tcp_syncookies support!" 2>&1 | logger
fi 

for z in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $z
done

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
test -f /proc/sys/net/ipv4/tcp_ecn && echo "1" > /proc/sys/net/ipv4/tcp_ecn
test -f /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#insert modules
# modprobe ip_conntrack 2>&1 | logger
# modprobe ip_conntrack_ftp 2>&1 | logger
# modprobe iptable_nat 2>&1 | logger
#flush all chains
$IPTABLES -P INPUT ACCEPT -v 2>&1 | logger
$IPTABLES -P OUTPUT ACCEPT -v 2>&1 | logger
$IPTABLES -P FORWARD ACCEPT -v 2>&1 | logger
# $IPTABLES -Z -v 2>&1 | logger
# $IPTABLES --flush -v 2>&1 | logger
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F -v 2>&1 | logger; done
for i in $chains; do iptables -t $i -X -v 2>&1 | logger; done
for i in $chains; do iptables -t $i -Z -v 2>&1 | logger; done

#set some TOS values
for ports in $MIN_DELAY
do
iptables -A PREROUTING -t mangle -p tcp --sport $ports -j TOS --set-tos Minimize-Delay -v 2>&1 | logger
iptables -A PREROUTING -t mangle -p tcp --dport $ports -j TOS --set-tos Minimize-Delay -v 2>&1 | logger
done
for ports in $MAX_THROUGH
do
iptables -A PREROUTING -t mangle -p tcp --sport $ports -j TOS --set-tos Maximize-Throughput -v 2>&1 | logger
iptables -A PREROUTING -t mangle -p tcp --dport $ports -j TOS --set-tos Maximize-Throughput -v 2>&1 | logger
done
# Masquerade out ppp0
# $IPTABLES -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE 2>&1 | logger
# Masquerade out eth1 , only valid if you have a static ip!
$IPTABLES -t nat -A POSTROUTING -o $INTERFACE -j SNAT --to-source $LOCALIP -v 2>&1 | logger
#create chain which blocks new connections, except if coming from inside.

# $IPCHAINS -X block
$IPTABLES -N block -v 2>&1 | logger
$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT -v 2>&1 | logger
$IPTABLES -A block -m state --state NEW -i ! $INTERFACE -j ACCEPT -v 2>&1 | logger
for ports in $ALLOW_TCP_PORTS
do
$IPTABLES -A block -p tcp -i $INTERFACE --destination-port $ports -j ACCEPT -v 2>&1 | logger
done
for ports in $ALLOW_UDP_PORTS
do
$IPTABLES -A block -p udp -i $INTERFACE --destination-port $ports -j ACCEPT -v 2>&1 | logger
done
for ports in $ALLOW_ICMP_TYPES
do
$IPTABLES -A block -p icmp -i $INTERFACE --icmp-type $ports -j ACCEPT -v 2>&1 | logger
done
$IPTABLES -A block -i $INTERFACE -m limit -j LOG --log-prefix "DENY " -v 2>&1 | logger
$IPTABLES -A block -i ! $INTERFACE -m limit -j LOG --log-prefix "DENY " -v 2>&1 | logger
# $IPTABLES -A block -j DROP -v 2>&1 | logger
#Besides MTU, there is yet another way to set the maximum packet size, the so called Maximum Segment Size. This is a field in the TCP Options part of a SYN packet
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -v 2>&1 | logger
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -v 2>&1 | logger
## Jump to that chain from INPUT and FORWARD chains.
$IPTABLES -A INPUT -j block -v 2>&1 | logger
$IPTABLES -A FORWARD -j block -v 2>&1 | logger
# put defaults to drop all packets
$IPTABLES -P INPUT DROP -v 2>&1 | logger
$IPTABLES -P FORWARD DROP -v 2>&1 | logger

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward 2>&1 | logger

#set the forwarding options

for entry in $FORWARD_PORTS
do
lports=`echo $entry | awk -F: '{ if ($3) print $3 ; else print $2}' | tr ',' ' '`
dport=`echo $entry | awk -F: '{ print $2 }'`
address=`echo $entry | awk -F: '{ if ($1) print $1 ; else print "localhost" }'`
for lport in $lports
do
$IPTABLES -I block 3 -p tcp -i $INTERFACE --destination-port $lport -j ACCEPT -v 2>&1 | logger
$IPTABLES -A PREROUTING -t nat -p tcp -i $INTERFACE --dport $lport -j DNAT --to $address:$dport -v 2>&1 | logger 
#$IPTABLES -A OUTPUT -t nat -p tcp -o $INTERFACE --dport $lport -j DNAT --to $address:$dport -v 2>&1 | logger
done
done

#set the transparent proxy entrys
for entry in $PROXY_PORTS
do
lports=`echo $entry | awk -F: '{ if ($3) print $3 ; else print $2}' | tr ',' ' '`
dport=`echo $entry | awk -F: '{ print $2 }'`
address=`echo $entry | awk -F: '{ if ($1) print $1 ; else print "localhost" }'`
for lport in $lports
do
#$IPTABLES -A PREROUTING -t nat -p tcp -i $INTERFACE -d ! 192.168.0.0/16 --dport $lport -j DNAT --to $address:$dport -v 2>&1 | logger
$IPTABLES -A OUTPUT -t nat -p tcp -o $INTERFACE -d ! 192.168.0.0/16 --dport $lport -j DNAT --to $address:$dport -v 2>&1 | logger
done
done

#update DYNDNS Account
blaa=$pwd
cd /etc/ppp
$IPCHECK -v -i $INTERFACE --syslog ranx 79-49-91 hardtek.ath.cx
cd $blaa

#exit with any error code
exit $?