#!/bin/sh
#
# description: Enable IPTABLES Firewalling
#		
#		Written by Hardy Kestin <hardy@noris.net>
#		Based on Harald "LaForge" Welte's <laforge@gnumonks.org>
#		netfilter workshop at noris network (2002-02-08)
# processname: iptables
# config: /etc/init.d/firewall
#

# SET FWDEBUG=0 TO MAKE IT WORK!
FWDEBUG=1

NAME=iptables
DESC="stateful firewall"
IPT=/sbin/iptables
IM=/sbin/modprobe
RMM=/sbin/rmmod
TABLES="filter nat"

MAIN_IF="eth0"
TRUSTED="62.128.1.62 62.128.28.2"
MONITOR="62.128.1.61 62.128.1.60"

#LB_PORTS="80 443"	# Loadbalanced ports
#V_HOST="xx.xx.xx.xx"	# Loadbalancer virtual ipaddress

if [ "$FWDEBUG" = "1" ]; then
        IPT="echo $IPT"
        IM="echo $IM"
        RMM="echo $RMM"
fi


case "$1" in
  start)
    [ "$FWDEBUG" = "1" ] && \
    	echo "NOT Starting $DESC. The following rules would be applied:" || \
    	echo -n "Starting $DESC: "  
	
    ## zusaetzliche kernelmodule laden
    $IM ip_conntrack_ftp

    # proc stuff
    echo 0 > /proc/sys/net/ipv4/ip_forward
    
    ## alles flushen und defaultpolicy setzen
    $IPT -P FORWARD DROP
    $IPT -P INPUT DROP
    $IPT -P OUTPUT ACCEPT
    for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
    
    # new chains
    $IPT -N clean
    $IPT -N in_main

    # clean reject
    $IPT -A clean -p udp --dport 135:139 -j DROP
    $IPT -A clean -j LOG --log-prefix "rejected " -m limit --limit 1/sec
    $IPT -A clean -p tcp -j REJECT --reject-with tcp-reset
    $IPT -A clean -p udp -j REJECT --reject-with icmp-port-unreachable
    $IPT -A clean -j DROP
    
    ## INPUT sortieren und filtern
    $IPT -A INPUT -j DROP -m state --state INVALID
    $IPT -A INPUT -j ACCEPT -i lo
    $IPT -A INPUT -j in_main -i $MAIN_IF

    # main chain
    $IPT -A in_main -j ACCEPT -m state --state ESTABLISHED,RELATED
    $IPT -A in_main -j ACCEPT -p icmp ! --icmp-type redir
    
    # nrpe, snmp udn 3ware-frontend von MONITOR und TRUSTED erlauben
    for host in $MONITOR $TRUSTED
    	do $IPT -A in_main -j ACCEPT -p tcp --dport nrpe -s $host
	$IPT -A in_main -j ACCEPT -p udp --dport snmp -s $host
    done
    
    # INSERT YOUR OWN RULES HERE!
    $IPT -A in_main -j ACCEPT -p tcp --dport ftp
    $IPT -A in_main -j ACCEPT -p tcp --dport ssh
    $IPT -A in_main -j ACCEPT -p tcp --dport smtp
    $IPT -A in_main -j ACCEPT -p tcp --dport domain
    $IPT -A in_main -j ACCEPT -p udp --dport domain
    $IPT -A in_main -j ACCEPT -p tcp --dport http
    $IPT -A in_main -j ACCEPT -p udp --dport ntp
    $IPT -A in_main -j ACCEPT -p tcp --dport imap2
    $IPT -A in_main -j ACCEPT -p tcp --dport imaps
    $IPT -A in_main -j ACCEPT -p tcp --dport pop3
    $IPT -A in_main -j ACCEPT -p tcp --dport pop3s

    # chain terminieren
    $IPT -A in_main -j clean
    
   
    ## PREROUTING (needed for Loadbalancing using DSR)
#    for port in $LB_PORTS; do
#	$IPT -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports $port -d $V_HOST --dport $port
#    done

    ## ende der filterregeln
    
    [ "$FWDEBUG" = "1" ] && echo "PLEASE MODIFY $0" || \
    	echo "$NAME."
  ;;
  
  stop)
    echo -n "Stopping $DESC: "
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
    $RMM ip_conntrack_ftp

    echo "$NAME."
  ;;

  restart)
    $0 stop
    $0 start
  ;;

  status)
    for tbl in $TABLES; do
    echo "Statistics for table: $tbl"
    $IPT -t $tbl -nvL
    done
  ;;
  
  *)
    echo "Usage: $0 {start|stop|restart|status}" >&2
    exit 1
  ;;
esac
exit 0
