#!/bin/sh
#
# /usr/local/bin/firewall
#
# This script is used to enable or disable the firewall.
#
# USAGE:	firewall		# turns the firewall on (secure mode)
#		firewall kill		# turns the firewall OFF (insecure)
#
# NOTE: be sure that this script is run at system boot time, ie. add the
#       following command to /etc/rc.d/rc.local ....
#		/usr/local/bin/firewall

#--------------------------------------------------------------------------------
# set the following for your system....
LAN=eth0		network interface for local area network ("my.home")
EXT=eth1		network interface public Internet connection
LANnet=192.168.100.0/24 LAN network address
#--------------------------------------------------------------------------------
# Nothing else NEEDS to be changed below, although you may wish to uncomment some
# of the lines below, allowing internet access to some services on THIS server.
# If you do, then BE CAREFUL!!!
#
# Some info in:
# http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html
#--------------------------------------------------------------------------------

# set kernel flag to allow IP forwarding:
echo 1 >/proc/sys/net/ipv4/ip_forward

# load necessary modules:
/sbin/modprobe iptable_nat	>/dev/null 2>&1
/sbin/modprobe ip_nat_ftp	>/dev/null 2>&1
/sbin/insmod ip_conntrack	>/dev/null 2>&1
/sbin/insmod ip_conntrack_ftp	>/dev/null 2>&1

# flush the standard tables:
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD

# turn the firewall OFF if "kill" is specified:
if [ "$1" = kill ]; then
	/sbin/iptables -P INPUT ACCEPT
	/sbin/iptables -P OUTPUT ACCEPT
	/sbin/iptables -P FORWARD ACCEPT
	exit
fi

# Create chain which blocks new connections, except if coming from inside.
/sbin/iptables -F block >/dev/null 2>&1
/sbin/iptables -X block >/dev/null 2>&1
/sbin/iptables -N block
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -m state --state NEW -i ! $EXT -j ACCEPT
/sbin/iptables -A block -j DROP

# input filtering rules:
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT		-i lo							-j ACCEPT
/sbin/iptables -A INPUT		-i $LAN							-j ACCEPT
/sbin/iptables -A INPUT         -i $EXT -p icmp                                         -j ACCEPT
/sbin/iptables -A INPUT         -i $EXT -p udp  --dport 5050                            -j ACCEPT	# BPAlogin
/sbin/iptables -A INPUT         -i $EXT -p udp  --sport 5050                            -j ACCEPT	# BPAlogin
/sbin/iptables -A INPUT         -i $EXT -p tcp  --sport 5050                            -j ACCEPT	# BPAlogin
/sbin/iptables -A INPUT		-i $EXT	-p udp	--sport domain				-j ACCEPT	# DNS
/sbin/iptables -A INPUT		-i $EXT	-p tcp	--sport domain				-j ACCEPT	# DNS
#/sbin/iptables -A INPUT	-i $EXT -p tcp	--dport http				-j ACCEPT
#/sbin/iptables -A INPUT	-i $EXT -p tcp	--sport smtp				-j ACCEPT
#/sbin/iptables -A INPUT	-i $EXT -p tcp	--dport smtp				-j ACCEPT
#/sbin/iptables -A INPUT	-i $EXT -p tcp	--dport pop3				-j ACCEPT
#/sbin/iptables -A INPUT	-i $EXT -p udp	--sport ntp -s 203.21.37.18		-j ACCEPT	# ntp.saard.net
#/sbin/iptables -A INPUT	-i $EXT -p tcp	--dport ftp 				-j ACCEPT
#/sbin/iptables -A INPUT	-i $EXT -p tcp	--dport ssh				-j ACCEPT
/sbin/iptables -A INPUT         -i $EXT -p udp  --dport netbios-ns                      -j DROP
/sbin/iptables -A INPUT         -i $EXT -p udp  --dport netbios-dgm                     -j DROP
/sbin/iptables -A INPUT         -i $EXT -p udp  --sport netbios-ns                      -j DROP
/sbin/iptables -A INPUT         -i $EXT -p udp  --sport bootps                          -j DROP
/sbin/iptables -A INPUT         -i $EXT -p udp  --sport bootpc                          -j DROP
/sbin/iptables -A INPUT		-i $EXT	-p tcp	--syn					-j DROP 
/sbin/iptables -A INPUT         -i $EXT -p 2                                            -j DROP 
/sbin/iptables -A INPUT		-i $EXT							-j LOG --log-prefix FIREWALL: 
/sbin/iptables -A INPUT									-j block

# output filtering rules:
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT	-o lo							-j ACCEPT
/sbin/iptables -A OUTPUT	-o $LAN							-j ACCEPT
/sbin/iptables -A OUTPUT	-o $EXT	-p icmp						-j ACCEPT
/sbin/iptables -A OUTPUT        -o $EXT -p udp  --dport 5050                            -j ACCEPT	# BPAlogin
/sbin/iptables -A OUTPUT        -o $EXT -p tcp  --dport 5050                            -j ACCEPT	# BPAlogin
/sbin/iptables -A OUTPUT        -o $EXT -p udp  --sport bootpc --dport bootps           -j ACCEPT	# BigPond
/sbin/iptables -A OUTPUT	-o $EXT	-p udp	--dport domain				-j ACCEPT	# DNS
/sbin/iptables -A OUTPUT	-o $EXT	-p tcp	--dport domain				-j ACCEPT	# DNS
#/sbin/iptables -A OUTPUT	-o $EXT -p tcp	--sport http				-j ACCEPT
#/sbin/iptables -A OUTPUT	-o $EXT -p tcp	--dport smtp				-j ACCEPT
#/sbin/iptables -A OUTPUT	-o $EXT -p tcp	--sport smtp				-j ACCEPT
#/sbin/iptables -A OUTPUT	-o $EXT -p tcp	--sport pop3				-j ACCEPT
#/sbin/iptables -A OUTPUT	-o $EXT -p udp	--dport ntp -d 203.21.37.18		-j ACCEPT	# ntp.saard.net
#/sbin/iptables -A OUTPUT	-o $EXT -p tcp	--sport ftp 				-j ACCEPT
#/sbin/iptables -A OUTPUT	-o $EXT -p tcp	--sport ssh				-j ACCEPT
#/sbin/iptables -A OUTPUT	-o $EXT -p tcp	--sport 1024:				-j ACCEPT
/sbin/iptables -A OUTPUT        -o $EXT -p udp  --dport netbios-ns                      -j DROP
/sbin/iptables -A OUTPUT        -o $EXT -p udp  --dport netbios-dgm                     -j DROP
/sbin/iptables -A OUTPUT	-o $EXT							-j LOG --log-prefix FIREWALL: 

# entries for NAT (network address translation, ie. IP masquerading or "internet connection sharing"):
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -A POSTROUTING	-t nat	-s $LANnet					-j MASQUERADE
/sbin/iptables -A FORWARD -j block

#__________________________________end_of_firewall____________________________________