#!/bin/bash 
# -vx  >> add -v for verbose output, add -x for line-by-line echo as it's input
#  ** above is useful for debugging purposes
#
#  ## Last Modified On 20070907
#
###############################################################################
#
# I still have dialup internet access.  I have configured the ppp daemon to 
# start in demand mode (via /etc/rc.d/rc.local) on system start. 
#
###############################################################################
#
# Show user notification
echo ""
echo "Initializing netfilter/iptables: /etc/rc.d/rc.firewall"
#
##############################################################################

# Load kernel module needed for FTP and NAT
/sbin/modprobe ip_nat_ftp

# Set variables
IPT=/usr/sbin/iptables
EXT_IF=ppp0
LAN_IF=eth0
WIRELESS_IF=ath0

# Set default policy
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Flush existing rules and remove custom user chains
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X

# Create new custom user chains
$IPT -N STATE
$IPT -N BADSTUFF
$IPT -N TCP_IN
$IPT -N TCP_FWD
$IPT -N UDP_IN
$IPT -N UDP_FWD
$IPT -N ICMP_IN
$IPT -N ICMP_FWD
$IPT -N FWD_OUT_TCP
$IPT -N FWD_OUT_UDP
$IPT -N FWD_OUT_ICMP
$IPT -N LAN_IN
$IPT -N WIRELESS_IN
$IPT -N WIRELESS_FWD_OUT

# Allow all traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Turn off packet forwarding in the kernel
#  ** This will be turned on at the end of the script **
echo 0 > /proc/sys/net/ipv4/ip_forward

# Notify the kernel that I'm using a dynamic IP address
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 

# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source-routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Do not log spoofed packets, source-routed packets, and redirect packets
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians

# Send packets to the appropriate chains
$IPT -A INPUT -j BADSTUFF
$IPT -A INPUT -j STATE
$IPT -A INPUT -i $EXT_IF -p tcp -j TCP_IN
$IPT -A INPUT -i $EXT_IF -p udp -j UDP_IN
$IPT -A INPUT -i $EXT_IF -p icmp -j ICMP_IN

$IPT -A INPUT -i $LAN_IF -j LAN_IN
$IPT -A INPUT -i $WIRELESS_IF -j WIRELESS_IN

$IPT -A FORWARD -j BADSTUFF
$IPT -A FORWARD -j STATE
$IPT -A FORWARD -i $EXT_IF -p tcp -j TCP_FWD
$IPT -A FORWARD -i $EXT_IF -p udp -j UDP_FWD
$IPT -A FORWARD -i $EXT_IF -p icmp -j ICMP_FWD

$IPT -A FORWARD -i $LAN_IF -o $WIRELESS_IF -j ACCEPT
$IPT -A FORWARD -i $WIRELESS_IF -j WIRELESS_FWD_OUT
$IPT -A FORWARD -o $EXT_IF -p tcp -j FWD_OUT_TCP
$IPT -A FORWARD -o $EXT_IF -p udp -j FWD_OUT_UDP
$IPT -A FORWARD -o $EXT_IF -p icmp -j FWD_OUT_ICMP
$IPT -A FORWARD -o $EXT_IF -p 47 -j ACCEPT


#########################
# nat table
#########################

# SNAT packets destined for the internet 
$IPT -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# Forward packets arriving on port 6346 (LimeWire) to liberty 
$IPT -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6346 -j DNAT --to-destination 192.168.13.50:6346
$IPT -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6346 -j DNAT --to-destination 192.168.13.50:6346

# Forward packets arriving on port 6348 (LimeWire) to atropine 
$IPT -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6348 -j DNAT --to-destination 192.168.13.15:6348
$IPT -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6348 -j DNAT --to-destination 192.168.13.15:6348

# Redirect ssh to tritium (OpenBSD)
$IPT -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 22 -j DNAT --to-destination 192.168.13.13:22

# Redirect http to isotope
#$IPT -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 80 -j DNAT --to-destination 192.168.13.11:80

# Redirect packets arriving on port 443 to port 22 on isotope
# They just *think* they can block me at $SOME_LOCATION  :D
$IPT -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 443 -j DNAT --to-destination 192.168.13.11:22

#########################
# OUTPUT chain
#########################

# Drop invalid packets trying to leave this box
$IPT -A OUTPUT -o $EXT_IF -m state --state INVALID -j DROP
$IPT -A OUTPUT -o $WIRELESS_IF -m state --state INVALID -j DROP

# Allow all other packets destined to the LAN and WLAN from this box
$IPT -A OUTPUT -o $LAN_IF -j ACCEPT
$IPT -A OUTPUT -o $WIRELESS_IF -j ACCEPT

# Do not send ICMP type 11 (time-exceeded) packets - this system will 
# not willfully participate in traceroute-enabled netmapping
$IPT -A OUTPUT -o $EXT_IF -p icmp --icmp-type time-exceeded -j DROP
$IPT -A OUTPUT -o $WIRELESS_IF -p icmp --icmp-type time-exceeded -j DROP

# Allow everything else out
$IPT -A OUTPUT -o $EXT_IF -p all -j ACCEPT
$IPT -A OUTPUT -o $WIRELESS_IF -p all -j ACCEPT


#########################
# BADSTUFF chain
#########################

# Drop packets that are likely to be stealth scans
#   ** first set of tcp-flags sets criteria, second set sets match
$IPT -A BADSTUFF -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags ACK,URG URG -j DROP

# Drop packets from the internet that claim to be from a private network
# or from the loopback range
$IPT -A BADSTUFF -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 127.0.0.0/8 -j DROP

# Drop malformed broadcast packets 
$IPT -A BADSTUFF -i $EXT_IF -s 255.255.255.255 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 0.0.0.0 -j DROP

# Drop packets from Class D Multicast addresses
$IPT -A BADSTUFF -i $EXT_IF -s 224.0.0.0/8 -j DROP

# Drop packets from Class E Reserved IP addresses
$IPT -A BADSTUFF -i $EXT_IF -s 240.0.0.0/8 -j DROP


#########################
# STATE chain
#########################

# Drop packets with invalid state flags
$IPT -A STATE -m state --state INVALID -j DROP

# Accept packets that are part of established connections
# or are related to established connections
$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT


#########################
# TCP_IN chain
#########################

# Drop (without logging) packets from freenode's open proxy scanner
$IPT -A TCP_IN -p tcp -i $EXT_IF -s 82.96.96.3 -j DROP 

# Reject incoming identd (auth) requests
$IPT -A TCP_IN -p tcp --dport 113 -j REJECT --reject-with tcp-reset 

# All packets not already caught will be dropped
$IPT -A TCP_IN -j DROP


#########################
# UDP_IN chain
#########################

# Drop everything
$IPT -A UDP_IN -j DROP


#########################
# ICMP_IN chain
#########################

# Drop all fragmented ICMP packets
$IPT -A ICMP_IN -p icmp -f -j DROP

# Allow incoming pings limited to 1 per second
$IPT -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Drop everything else
$IPT -A ICMP_IN -j DROP


#########################
# LAN_IN chain
#########################

# Allow packets of established connections and those related to them
$IPT -A LAN_IN -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow DHCP from local network
$IPT -A LAN_IN -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
$IPT -A LAN_IN -p udp --sport 68 --dport 67 -j ACCEPT

# Allow DNS requests from local network
$IPT -A LAN_IN -p udp -s 192.168.13.0/24 --dport 53 -j ACCEPT
$IPT -A LAN_IN -p tcp -s 192.168.13.0/24 --dport 53 -j ACCEPT

# Allow ntp from local network
$IPT -A LAN_IN -p udp -s 192.168.13.0/24 --dport 123 -j ACCEPT

# Allow incoming ssh from local network
$IPT -A LAN_IN -p tcp -s 192.168.13.0/24 --sport 1024:65535 -d 192.168.13.1 --dport 22 --syn -m state --state NEW -j ACCEPT

# Allow incoming pings from local network  
$IPT -A LAN_IN -s 192.168.13.0/24 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Allow NFS stuff
$IPT -A LAN_IN -s 192.168.13.11 -p tcp -m multiport --dports 866,4045 -j ACCEPT

# Allow mail
$IPT -A LAN_IN -s 192.168.13.11 -p tcp -m multiport --dports 25,587 -m state --state NEW --syn -j ACCEPT

# Allow distcc stuff
$IPT -A LAN_IN -s 192.168.13.0/24 -p tcp --dport 3632 -j ACCEPT

# Accept LAN broadcasts from isotope (Re: CUPS)
$IPT -A LAN_IN -p udp -s 192.168.13.11 -d 192.168.13.255 -j ACCEPT

# Silently drop all other LAN broadcasts
$IPT -A LAN_IN -p udp -d 192.168.13.255 -j DROP
$IPT -A LAN_IN -p udp -s 192.168.13.1 --sport 67 -d 255.255.255.255 --dport 68 -j DROP

# Reject everything else from local network
$IPT -A LAN_IN -s 192.168.13.0/24 -j REJECT


#########################
# TCP_FWD chain
#########################

# Allow those prerouted packets for LimeWire to pass
$IPT -A TCP_FWD -i $EXT_IF -p tcp --dport 6346 -d 192.168.13.50 -j ACCEPT
$IPT -A TCP_FWD -i $EXT_IF -p tcp --dport 6348 -d 192.168.13.15 -j ACCEPT

# Allow prerouted ssh from net to go to tritium (OpenBSD)
$IPT -A TCP_FWD -i $EXT_IF -p tcp --dport 22 -d 192.168.13.13 -j ACCEPT

# Allow prerouted ssh from net to go to isotope
$IPT -A TCP_FWD -i $EXT_IF -p tcp --dport 22 -d 192.168.13.11 -j ACCEPT

# Allow prerouted http from net to go to isotope
#$IPT -A TCP_FWD -i $EXT_IF -p tcp --dport 80 -d 192.168.13.11 -j ACCEPT

# Drop everything else 
$IPT -A TCP_FWD -i $EXT_IF -j DROP


#########################
# UDP_FWD chain
#########################

# Allow those prerouted packets for LimeWire to pass
$IPT -A UDP_FWD -i $EXT_IF -p udp --dport 6346 -d 192.168.13.11 -j ACCEPT
$IPT -A UDP_FWD -i $EXT_IF -p udp --dport 6348 -d 192.168.13.15 -j ACCEPT

# Drop everything else 
$IPT -A UDP_FWD -i $EXT_IF -j DROP


#########################
# ICMP_FWD chain
#########################

# Drop everything
$IPT -A ICMP_FWD -i $EXT_IF -j DROP


#########################
# FWD_OUT_TCP chain
#########################

# Allow established/related packets
$IPT -A FWD_OUT_TCP -j STATE

# Do not allow outgoing connection attempts to NFS, SOCKS, OpenWindows, squid, samba/cifs
$IPT -A FWD_OUT_TCP -p tcp -m multiport --dports 2049,1080,2000,3128,137,138,139,445 --syn -j REJECT

# Allow ftp, ssh, whois, pop3, usenet, imap, s-pop3, AIM, Yahoo IM, jabber,jabber-s, irc 6667 & 7000
$IPT -A FWD_OUT_TCP -p tcp --sport 1024:65535 -m multiport --dports 21,22,43,110,119,143,995,5190,5050,5222,5223,6667,7000 --syn -m state --state NEW -j ACCEPT

# Allow smtp (25 & 587), finger, http on 80, 81, 88, 8080, and 8088, https, rsync, svn
$IPT -A FWD_OUT_TCP -p tcp --sport 1024:65535 -m multiport --dports 25,587,79,80,81,88,8080,8088,443,873,3690 -m state --state NEW --syn -j ACCEPT

# Allow TCSS webmail to port 32000
$IPT -A FWD_OUT_TCP -p tcp --sport 1024:65535 -d 216.109.50.71 --dport 32000 -m state --state NEW --syn -j ACCEPT

# Allow LimeWire traffic to go out
$IPT -A FWD_OUT_TCP -p tcp -m multiport --ports 6345:6351 -m state --state NEW --syn -j ACCEPT

# Allow requests to keyservers
$IPT -A FWD_OUT_TCP -p tcp --dport 11371 -m state --state NEW --syn -j ACCEPT

# Allow UA VPN
$IPT -A FWD_OUT_TCP -p tcp -d 130.160.44.2 --dport 1723 -m state --state NEW --syn -j ACCEPT

# Log and reject all other traffic destined for the net
# Useful for when the wife says "Why won't $SOMETHING work?"  :D
$IPT -A FWD_OUT_TCP -p tcp -j ULOG --ulog-prefix "REJECTED: "
$IPT -A FWD_OUT_TCP -p tcp -j REJECT 


#########################
# FWD_OUT_UDP chain
#########################

# Allow established/related packets
$IPT -A FWD_OUT_UDP -j STATE

# Allow LimeWire traffic
$IPT -A FWD_OUT_UDP -p udp -m multiport --ports 6345:6351 -j ACCEPT

# Allow NTP traffic
$IPT -A FWD_OUT_UDP -p udp --dport 123 -j ACCEPT

# Allow outgoing traceroutes
$IPT -A FWD_OUT_UDP -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# Log and drop all other traffic destined for the net
$IPT -A FWD_OUT_UDP -p udp -j DROP 


#########################
# FWD_OUT_ICMP chain
#########################

# Allow established/related packets
$IPT -A FWD_OUT_ICMP -j STATE

# Allow pings to go out from the internal network to anywhere
$IPT -A FWD_OUT_ICMP -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Do not allow ICMP time-exceeded messages to be forwarded outside of the local network
$IPT -A FWD_OUT_ICMP -p icmp --icmp-type time-exceeded -j DROP

# Drop everything else
$IPT -A FWD_OUT_ICMP -p icmp -j DROP


#########################
# WIRELESS_IN chain
#########################

# Allow DNS lookups
$IPT -A WIRELESS_IN -p udp --dport 53 -j ACCEPT
$IPT -A WIRELESS_IN -p tcp --dport 53 -j ACCEPT

# Allow DHCP from wireless network
$IPT -A WIRELESS_IN -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
$IPT -A WIRELESS_IN -p udp --sport 68 --dport 67 -j ACCEPT

# Allow ntp from wireless network
$IPT -A WIRELESS_IN -p udp -s 10.10.13.0/24 --dport 123 -j ACCEPT

# Allow incoming ssh from wireless network
$IPT -A WIRELESS_IN -p tcp -s 10.10.13.0/24 --sport 1024:65535 --dport 22 --syn -m state --state NEW -j ACCEPT

# Allow incoming pings from wireless network  
$IPT -A WIRELESS_IN -s 10.10.13.0/24 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Silently drop LAN broadcasts
$IPT -A WIRELESS_IN -p udp -d 10.10.13.255 -j DROP
$IPT -A WIRELESS_IN -p udp -s 10.10.13.1 --sport 67 -d 255.255.255.255 --dport 68 -j DROP

# Reject everything else from wireless network
$IPT -A WIRELESS_IN -s 10.10.13.0/24 -j REJECT


#########################
# WIRELESS_FWD_OUT chain
#########################

# Allow ssh to hit wired LAN
$IPT -A WIRELESS_FWD_OUT -p tcp -s 10.10.13.0/24 --sport 1024:65535 --dport 22 \
-m state --state NEW --syn -j ACCEPT

# Allow pings to hit wired LAN 
$IPT -A WIRELESS_FWD_OUT -s 10.10.13.0/24 -p icmp --icmp-type echo-request \
-m limit --limit 1/s -j ACCEPT

# Allow wireless network to connect to isotope's ftp server 
# It's read-only & anonymous access only, so no harm there
$IPT -A WIRELESS_FWD_OUT -p tcp -o $LAN_IF -d 192.168.13.11 --dport 21 -m state --state NEW --syn -j ACCEPT

# Allow wireless network to connect to isotope's http server
$IPT -A WIRELESS_FWD_OUT -p tcp -o $LAN_IF -d 192.168.13.11 --dport 80 -m state --state NEW --syn -j ACCEPT

# Send to the normal FWD_OUT chains
$IPT -A WIRELESS_FWD_OUT -o $EXT_IF -p tcp -j FWD_OUT_TCP
$IPT -A WIRELESS_FWD_OUT -o $EXT_IF -p udp -j FWD_OUT_UDP
$IPT -A WIRELESS_FWD_OUT -o $EXT_IF -p icmp -j FWD_OUT_ICMP

# Reject everything else
$IPT -A WIRELESS_FWD_OUT -j REJECT


###############################################################################
# Turn on packet forwarding in the kernel
# now that all chains are populated
echo 1 > /proc/sys/net/ipv4/ip_forward
##############################################################################

echo "Firewall rules are in place and active..."
echo ""