#!/bin/sh
#
# Startup script to implement masquerading and firewalling
#
# Started life as:
#	by beroATredhat.com, based on the ipchains script:
#	Script Author:	Joshua Jensen <joshuaATredhat.com>
#	-- hacked up by gafton with help from notting
#	modified by Anton Altaparmakov <aia21ATcam.ac.uk>:
#	modified by Nils Philippsen <nilsATredhat.de>
# now mostly alexeytATfreeshell.org's code
# debianized by alexeytATfreeshell.org Jun 2004
# reworked by alexeytATfreeshell.org Mar 2006
#
# customised for CHANGEME

#### CONFIG ####

IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
MODULES="ip_conntrack_ftp ip_nat_ftp"

#drop everything from these sources
IDIOTS=

#### END CONFIG ####

[ -x "$IPTABLES" ] || exit 0
[ -x "$MODPROBE" ] || exit 0

doerror() {
	[ $error ] || "$@" || error=1;
	return $error;
}

set_forwarding() {
	echo "$1" > /proc/sys/net/ipv4/ip_forward
}

start() {
	error=

	echo -n "Disabling IPv4 forwarding:"
		doerror set_forwarding 0
	doerror echo " done." || echo " FAILED."

	echo -n "Loading modules:"
	for i in $MODULES; do {
		echo -n " $i"
		doerror $MODPROBE $i || break
	} done
	doerror echo "." || echo " FAILED."

	chains=`cat /proc/net/ip_tables_names 2>/dev/null`
	echo -n "Flushing, deleting and zeroing all chains:"
	for i in $chains; do {
		doerror $IPTABLES -t $i -F
		doerror $IPTABLES -t $i -X
		doerror $IPTABLES -t $i -Z
	} done
	doerror echo " done." || echo " FAILED."

	echo -n "Setting iptables default policies:"
		doerror $IPTABLES -P INPUT DROP
		doerror $IPTABLES -P FORWARD DROP
		doerror $IPTABLES -P OUTPUT ACCEPT
		doerror $IPTABLES -t nat -P PREROUTING ACCEPT
		doerror $IPTABLES -t nat -P POSTROUTING ACCEPT
		doerror $IPTABLES -t nat -P OUTPUT ACCEPT
#		doerror $IPTABLES -t mangle -P PREROUTING ACCEPT
#		doerror $IPTABLES -t mangle -P OUTPUT ACCEPT
	doerror echo " done." || echo " FAILED."

	echo -n "Applying iptables firewall rules:"
		echo -n " filter-input"
		doerror $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
		doerror $IPTABLES -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
		for i in $IDIOTS; do {
			doerror $IPTABLES -A INPUT -s "$i" -j DROP
		} done
		doerror $IPTABLES -A INPUT -p icmp --icmp-type ping -m limit --limit 1/second -j ACCEPT
		doerror $IPTABLES -A INPUT -p tcp --dport 22 -m limit --limit 1/second -j ACCEPT

#		echo -n " filter-output"

		echo -n " filter-forward"
		doerror $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
		for i in $IDIOTS; do {
			doerror $IPTABLES -A FORWARD -s "$i" -j DROP
		} done

		doerror $IPTABLES -A FORWARD -m limit --limit 30/hour -j LOG

#		echo -n " nat-prerouting"

#		echo -n " nat-postrouting"

#		echo -n " nat-output"

#		echo -n " mangle-prerouting"

#		echo -n " mangle-output"

	doerror echo "." || echo " FAILED."

	echo -n "Enabling IPv4 forwarding:"
		doerror set_forwarding 1
	doerror echo " done." || echo " FAILED."
}

stop() {
	error=

	echo -n "Disabling IPv4 forwarding:"
		doerror set_forwarding 0
	doerror echo " done." || echo " FAILED."

	chains=`cat /proc/net/ip_tables_names 2>/dev/null`
	echo -n "Flushing, deleting and zeroing all chains:"
        for i in $chains; do {
		doerror $IPTABLES -t $i -F
		doerror $IPTABLES -t $i -X
		doerror $IPTABLES -t $i -Z
	} done
	doerror echo " done." || echo " FAILED."

        echo -n $"Resetting built-in chains to the default ACCEPT policy:"
		doerror $IPTABLES -P INPUT ACCEPT
		doerror $IPTABLES -P OUTPUT ACCEPT
		doerror $IPTABLES -P FORWARD ACCEPT
		doerror $IPTABLES -t nat -P PREROUTING ACCEPT
		doerror $IPTABLES -t nat -P POSTROUTING ACCEPT
		doerror $IPTABLES -t nat -P OUTPUT ACCEPT
#		doerror $IPTABLES -t mangle -P PREROUTING ACCEPT
#		doerror $IPTABLES -t mangle -P OUTPUT ACCEPT
	doerror echo " done." || echo " FAILED."
}

panic() {
	error=

	echo -n "Disabling IPv4 forwarding:"
		doerror set_forwarding 0
	doerror echo " done." || echo " FAILED."

	chains=`cat /proc/net/ip_tables_names 2>/dev/null`
	echo -n "Flushing, deleting and zeroing all chains:"
	for i in $chains; do {
		doerror $IPTABLES -t $i -F
		doerror $IPTABLES -t $i -X
		doerror $IPTABLES -t $i -Z
	} done
	doerror echo " done." || echo " FAILED."

	echo -n "Changing built-in chain policies to DROP:"
		doerror $IPTABLES -P INPUT DROP
		doerror $IPTABLES -P FORWARD DROP
		doerror $IPTABLES -P OUTPUT DROP
		doerror $IPTABLES -t nat -P PREROUTING DROP
		doerror $IPTABLES -t nat -P POSTROUTING DROP
		doerror $IPTABLES -t nat -P OUTPUT DROP
#		doerror $IPTABLES -t mangle -P PREROUTING DROP
#		doerror $IPTABLES -t mangle -P OUTPUT DROP
	doerror echo " done." || echo " FAILED."
}

status() {
	echo $"Table: filter"
	$IPTABLES -n -v --list
	echo $"Table: nat"
	$IPTABLES -t nat -n -v --list
#	echo $"Table: mangle"
#	$IPTABLES -t mangle -n -v --list
}

case "$1" in
  start|restart)
	start
	;;
  stop)
	stop
	;;
  panic)
	panic 
	;;
  status)
	status
	;;

  *)
	echo $"Usage: $0 {start|stop|restart|status|panic}"
	exit 1
esac

exit 0