#!/bin/sh
#
#               Initial SIMPLE IP Masquerade test for 2.4.x kernels
#               using IPTABLES.  
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables


EXTIF="ppp0"
INTIF="eth0"

/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod iptable_nat
/sbin/modprobe ip_nat_ftp


# Just to be complete, here is a list of the remaining kernel modules 
# and their function.  Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped, 
#                     REJECTed, or LOGged.  This module automatically 
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be 
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and returns 
#                                  a configurable ICMP packet back to the 
#                                  sender.
# 
#    iptable_mangle - this target allows for packets to be manipulated
#                     for things like the TCPMSS option, etc.

echo ".  Done loading modules."

echo "1" > /proc/sys/net/ipv4/ip_forward


echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F

$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT  -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

if [ "$1" == "stop" ]; then
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -P OUTPUT ACCEPT
  $IPTABLES -P FORWARD ACCEPT
  exit 0
fi

# Not sure why these seem to be open ...
$IPTABLES -A INPUT -p tcp --dport 1024 -j REJECT
#$IPTABLES -A INPUT -p tcp --dport 111 -j REJECT

# Work around a bug in IPTABLES (netfilter)
# http://netfilter.samba.org/security/2002-04-02-icmp-dnat.html
#iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
# End of workaround


echo "   FWD: Allow all connections OUT and only existing and related ones IN"
#$IPTABLES -A FORWARD -j LOG
# NTP on port 123 for tcp and udp.
$IPTABLES -A FORWARD -p tcp --dport 123 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 123 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Don't log Napster (6699) Gnutella (6345/6) Morpheus 1214, NetBIOS(137)
# Do this by giving them a "target" before they get to the "LOG" target
# Skip ports 21, 23, 25 and 80, too...
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6699 -j REJECT
# NetBIOS
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 137 -j REJECT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 135 -j REJECT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 135 -j REJECT
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6345 -j REJECT
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 6346 -j REJECT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 1214 -j REJECT
# FTP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j REJECT
# Telnet
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j REJECT
# SMTP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j REJECT
# HTTP
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j REJECT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
# http://www.edonkey2000.com/http://www.edonkey2000.com/
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 4662 -j REJECT

# I can go out anywhere to nslookup
$IPTABLES -A OUTPUT -o ppp0 -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT  -i eth0 -p udp --sport 53 -j ACCEPT
# and I can send anything to the LAN
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT
# and they can send anything to me
$IPTABLES -A INPUT -i eth0 -j ACCEPT
# And people can send RELATED stuff back to me.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Log everything else
# Uncomment me for crap on the console
#$IPTABLES -A INPUT -i $EXTIF -j LOG --log-level 1 --log-prefix "INCOMING: "
$IPTABLES -A INPUT -i $EXTIF -j LOG --log-level notice --log-prefix "DROPPING: "
$IPTABLES -A INPUT -i $EXTIF -j DROP

$IPTABLES -A OUTPUT -j ACCEPT

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


echo -e "\nDone.\n"