#!/bin/bash
#
### BEGIN INIT INFO
# Provides:             firewall 
# Required-Start:       $remote_fs $network
# Required-Stop:        $remote_fs $network
# Default-Start:        2 3 4 5
# Default-Stop:        
# Short-Description:     noris special iptables rules
### END INIT INFO

# description: Enable IPTABLES Firewalling
#		
#		Written by Hardy Kestin <hardy@noris.net>
#		made 6.0 LSB conform by <kdrexel@noris.net>
#		Based on Harald "LaForge" Welte's <laforge@gnumonks.org>
#		netfilter workshop at noris network (2002-02-08)
#
# processname: iptables
# config: /etc/init.d/firewall
#

# Wer diese Variablen überschreiben will, muss dies in
# /etc/noris-firewall/variables tun
FWDEBUG=1

NAME=iptables
DESC="stateful firewall"
IPT=/sbin/iptables
IM=/sbin/modprobe
RMM=/sbin/rmmod
TABLES="filter nat"

VARS="/etc/noris-firewall/variables"
RULES="/etc/noris-firewall/rules"
test -f $VARS && . $VARS


if [ "$FWDEBUG" != "0" ]; then
        IPT="echo $IPT"
        IM="echo $IM"
        RMM="echo $RMM"
fi


case "$1" in
  start)
    [ "$FWDEBUG" != "0" ] && \
    	echo "NOT Starting $DESC. The following rules would be applied:" || \
    	echo -n "Starting $DESC: "  
	
    ## zusaetzliche kernelmodule laden
#    $IM ip_conntrack_ftp

    # proc stuff
    #echo 1 > /proc/sys/net/ipv4/ip_forward

    # Workaround for TCP window scaling problems at peers (see RT#417927):
    MAX_WSCALE=6
    file=/proc/sys/net/ipv4/tcp_rmem
    max_recbuf=$(( 1 << 15 << MAX_WSCALE ))
    tcp_rmem=$( echo $(<"$file") )
    [ "${tcp_rmem##* }" -gt $max_recbuf ] &&
      echo ${tcp_rmem% *} $max_recbuf >>"$file"
    
    ## alles flushen und defaultpolicy setzen
    $IPT -P FORWARD DROP
    $IPT -P INPUT DROP
    $IPT -P OUTPUT ACCEPT
    for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
    
    # new chains
    $IPT -N clean
    $IPT -N in_main

    # clean reject
    $IPT -A clean -p udp --dport 135:139 -j DROP
    $IPT -A clean -p tcp -j REJECT --reject-with tcp-reset
    $IPT -A clean -p udp -j REJECT --reject-with icmp-port-unreachable
    $IPT -A clean -j DROP
    
    ## INPUT sortieren und filtern
    $IPT -A INPUT -j DROP -m state --state INVALID
    $IPT -A INPUT -j ACCEPT -i lo
    $IPT -A INPUT -j in_main -i $MAIN_IF

    # externe chain
    $IPT -A in_main -j ACCEPT -m state --state ESTABLISHED,RELATED
    $IPT -A in_main -j ACCEPT -p icmp ! --icmp-type redir
    
    # nrpe,ssh,3dm,ntp,snmp von monitor-rechnern und trusted erlauben
    for host in $MONITOR $TRUSTED
    	do $IPT -A in_main -j ACCEPT -p tcp --dport nrpe -s $host
	$IPT -A in_main -j ACCEPT -p tcp --dport ssh -s $host
	$IPT -A in_main -j ACCEPT -p udp --dport ntp -s $host
	$IPT -A in_main -j ACCEPT -p udp --dport snmp -s $host
    done
    
test -f $RULES && . $RULES

    # chain terminieren
    $IPT -A in_main -j clean

   
    ## ende der filterregeln
    
    [ "$FWDEBUG" != "0" ] && echo "PLEASE MODIFY $VARS" || \
    	echo "$NAME."
  ;;
  
  stop)
    echo -n "Stopping $DESC: "
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
#    $RMM ip_conntrack_ftp

    echo "$NAME."
  ;;

  restart)
    $0 stop
    $0 start
  ;;

  status)
    for tbl in $TABLES; do
    echo "Statistics for table: $tbl"
    $IPT -t $tbl -nvL
    done
  ;;
  
  *)
    echo "Usage: $0 {start|stop|restart|status}" >&2
    exit 1
  ;;
esac
exit 0
