#!/bin/sh
#
# description: Enable IPTABLES Firewalling
#		
#		Written by Hardy Kestin <hardy@noris.net>
#		Based on Harald "LaForge" Welte's <laforge@gnumonks.org>
#		netfilter workshop at noris network (2002-02-08)
# processname: iptables
# config: /etc/init.d/firewall
#

# REMOVE THE FOLLOWING LINE TO MAKE IT WORK!
FWDEBUG=1

NAME=iptables
DESC="stateful firewall"
IPT=/sbin/iptables
IM=/sbin/modprobe
RMM=/sbin/rmmod
TABLES="filter nat"

MAIN_IF="eth0"
BACK_IF="eth1"
BACK_NET=10.1.0.0/16
RFC1918_NETS="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
TRUSTED="62.128.1.62 62.128.28.2"
MONITOR="62.128.1.61 62.128.1.60 62.128.1.93"

#V_HOST="62.128.1.30"
#R_HOST="62.128.1.31"
#LB_PORTS="80 443"

if [ "$FWDEBUG" = "1" ]; then
        IPT="echo $IPT"
        IM="echo $IM"
        RMM="echo $RMM"
fi


case "$1" in
  start)
    [ "$FWDEBUG" = "1" ] && \
    	echo "NOT Starting $DESC. The following rules would be applied:" || \
    	echo -n "Starting $DESC: "  
	
    ## zusaetzliche kernelmodule laden
    $IM ip_conntrack_ftp

    # proc stuff
    #echo 1 > /proc/sys/net/ipv4/ip_forward

    # Workaround for TCP window scaling problems at peers (see RT#417927):
    MAX_WSCALE=6
    file=/proc/sys/net/ipv4/tcp_rmem
    max_recbuf=$(( 1 << 15 << MAX_WSCALE ))
    tcp_rmem=$( echo $(<"$file") )
    [ "${tcp_rmem##* }" -gt $max_recbuf ] &&
      echo ${tcp_rmem% *} $max_recbuf >>"$file"
    
    ## alles flushen und defaultpolicy setzen
    $IPT -P FORWARD DROP
    $IPT -P INPUT DROP
    $IPT -P OUTPUT ACCEPT
    for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
    
    # new chains
    $IPT -N clean
    $IPT -N in_main

    # clean reject
    $IPT -A clean -p udp --dport 135:139 -j DROP
    $IPT -A clean -j LOG --log-prefix "Rejected " -m limit --limit 1/sec
    $IPT -A clean -p tcp -j REJECT --reject-with tcp-reset
    $IPT -A clean -p udp -j REJECT --reject-with icmp-port-unreachable
    $IPT -A clean -j DROP
    
    ## INPUT sortieren und filtern
    $IPT -A INPUT -j DROP -m state --state INVALID
    $IPT -A INPUT -j ACCEPT -i lo
    $IPT -A INPUT -j DROP ! -s $BACK_NET -i $BACK_IF
    $IPT -A INPUT -j ACCEPT -i $BACK_IF
    $IPT -A INPUT -j in_main -i $MAIN_IF

    # externe chain
    $IPT -A in_main -j ACCEPT -m state --state ESTABLISHED,RELATED
    $IPT -A in_main -j ACCEPT -p icmp ! --icmp-type redir
    
    # nrpe,ssh,3dm,ntp,snmp von monitor-rechnern und trusted erlauben
    for host in $MONITOR $TRUSTED
    	do $IPT -A in_main -j ACCEPT -p tcp --dport nrpe -s $host
	$IPT -A in_main -j ACCEPT -p tcp --dport ssh -s $host
	$IPT -A in_main -j ACCEPT -p tcp --dport 1081 -s $host
	$IPT -A in_main -j ACCEPT -p udp --dport ntp -s $host
	$IPT -A in_main -j ACCEPT -p udp --dport snmp -s $host
    done
    
    # INSERT YOUR OWN RULES HERE!
    # $IPT -A in_main -j ACCEPT -p tcp --dport http
    # $IPT -A in_main -j ACCEPT -p udp --dport ntp

    # chain terminieren
    $IPT -A in_main -j clean
    
   
    ## PREROUTING
#    for port in $LB_PORTS; do
#	$IPT -t nat -A PREROUTING -p tcp -d $V_HOST --dport $port -j DNAT --to-destination $R_HOST
#    done

    ## ende der filterregeln
    
    [ "$FWDEBUG" = "1" ] && echo "PLEASE MODIFY $0" || \
    	echo "$NAME."
  ;;
  
  stop)
    echo -n "Stopping $DESC: "
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
    $RMM ip_conntrack_ftp

    echo "$NAME."
  ;;

  restart)
    $0 stop
    $0 start
  ;;

  status)
    for tbl in $TABLES; do
    echo "Statistics for table: $tbl"
    $IPT -t $tbl -nvL
    done
  ;;
  
  *)
    echo "Usage: $0 {start|stop|restart|status}" >&2
    exit 1
  ;;
esac
exit 0
