myname=`basename $0`

add()
{
#	echo $myname $*
	iptables -D $* >/dev/null 2>&1
	iptables -A $*
	echo -n .
}

OUTSIDE_IF=eth0
# OUTSIDE_NET=0/0
PRIVATE_NET=192.168.0.0/24

firewall_stop()
{
    iptables -P INPUT ACCEPT
    echo -n "."
    iptables -P OUTPUT ACCEPT
    echo -n "."
    iptables -P FORWARD ACCEPT
    echo -n "."

    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    echo "."
}

firewall_start()
{
    # debug issues with internal net
    iptables -A FORWARD -j LOG

    # local, trusted (private) networks
    add INPUT -j ACCEPT -i lo
    add INPUT -j ACCEPT -i eth1
    add INPUT -j ACCEPT -i eth2

    # Look for possible source-routed packet attacks (should we log this?)
    add INPUT -j LOG  -i $OUTSIDE_IF -s localhost
    add INPUT -j DROP -i $OUTSIDE_IF -s localhost

    # permit replies to any connection we open to the outside.
    add INPUT  -j ACCEPT -m state --state ESTABLISHED,RELATED

    # permit new connections to outside and replies to allowed services
    add OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED

    ####################### TCP Section ###############################
    # Services we want exported - ie other folks can open connections

    add INPUT -j ACCEPT -p tcp --dport ssh -m state --state NEW
    add INPUT -j ACCEPT -p tcp --dport ftp -m state --state NEW
    add INPUT -j ACCEPT -p tcp --dport ident -m state --state NEW
    add INPUT -j ACCEPT -p tcp --dport ftp-data -m state --state NEW

    # disabled for now, don't LOG attacks/usage of these services.
    add INPUT -j DROP -p tcp --dport http -m state --state NEW
    add INPUT -j DROP -p tcp --dport domain -m state --state NEW
    add INPUT -j DROP -p tcp --dport smtp -m state --state NEW
    add INPUT -j DROP -p tcp --dport cvspserver -m state --state NEW
    add INPUT -j DROP -p tcp --dport sunrpc -m state --state NEW

    ####################### UDP Section ###############################
    # no special services enabled here.
    # don't log bootp junk
    add INPUT -j DROP -p udp --dport bootpc -m state --state NEW

    ####################### ICMP Section ###############################
    # don't allow ICMP timestamp packets
    add INPUT -j DROP -p icmp -s 0/0 --icmp-type timestamp-request
    add INPUT -j DROP -p icmp -s 0/0 --icmp-type timestamp-reply

    # but allow all other icmp
    add INPUT -j ACCEPT -p icmp

    ####################### DROP (Deny) the rest Section #######################
    # I hate MS-Windows!  Don't log the mindless machines
    add INPUT -j DROP -p udp --dport 137
    add INPUT -j DROP -p udp --dport 138
    add INPUT -j DROP -p tcp --dport 139

    # Deny but don't log these -- they're from known misbehaving machines
    # add INPUT -j DROP -s 192.6.38.XX -p udp

    # A biggie -- LOG/DROP the rest
    add INPUT -j LOG
    add INPUT -j DROP


    ####################### TOS Section #######################
    # TOS - minimize delay for the following services 
    add OUTPUT -j TOS --table mangle -p tcp --dport www    --set-tos 0x10
    add OUTPUT -j TOS --table mangle -p tcp --dport telnet --set-tos 0x10
    add OUTPUT -j TOS --table mangle -p tcp --dport ftp    --set-tos 0x10

    # Set ftp-data for maximum throughput
    add OUTPUT -j TOS --table mangle -p tcp --dport ftp-data --set-tos 0x08 

    echo ""
}

antispoof()
{
    # Turn on Source Address Verification and get spoof protection on
    # all current and future interfaces.
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
	    echo 1 > $f
        done
    fi
}

# added per http://linuxdocs.org/HOWTOs/IPTABLES-HOWTO-3.html#ss3.1
# - ggg
enable_nat()
{

	# firewall() already DROP's everything
	# iptables -P FORWARD DROP
	if [ -e /proc/sys/net/ipv4/ip_forward ]; then
		echo 1 > /proc/sys/net/ipv4/ip_forward
	else
		echo "WARN:" $0 ": ip_forward not configured in kernel?"
	fi
	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

	# tausq uses the following
	# iptables -t nat -A POSTROUTING -o eth0 --dest ! 10.0.0.0/24 -j SNAT --to $LOCAL_IP

	# allow services from private NAT/IPMASQ (thanks neuro!)
	# add FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -s $PRIVATE_NET -j ACCEPT
	# add FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -d $PRIVATE_NET -j ACCEPT
}


case "$1" in
    start)
	echo -n "Starting firewall (iptables):"
	firewall_start
	# echo -n "Starting IP spoof protection:"
	# antispoof
	# echo "."
	#echo "Starting IP Masquerading:"
	#enable_nat
	#echo "."
	;;

    stop)
	echo -n "Stopping firewall (iptables):"
	firewall_stop
	# disable NAT
	iptables -t nat -F POSTROUTING
	;;

    restart)
	echo -n "Restarting firewall (iptables):"
	firewall_stop
	firewall_start
	# antispoof
	# enable_nat
	;;
    *)
	echo "Usage: /etc/init.d/firewall {start|stop|restart}"
	exit 1
	;;
esac

exit 0