#!/bin/bash 

# Show user notification
echo ""
echo "Initializing netfilter/iptables: /etc/rc.d/rc.firewall"

# Load kernel module needed for FTP and NAT
/sbin/modprobe ip_nat_ftp

# Set variables - modify as needed
IPT=`which iptables`
EXT_IF="ppp0"
LAN_IF="eth0"
LOCALNET="192.168.1.0/24"	# LAN Address Range

# Set default policy
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Flush existing rules and kill custom chains
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X

# Create new custom user chains
$IPT -N STATE
$IPT -N BADSTUFF
$IPT -N LAN_IN

# Allow all traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Turn off packet forwarding in the kernel
#  ** This will be turned on at the end of the script **
echo 0 > /proc/sys/net/ipv4/ip_forward

# Notify the kernel that we're using a dynamic IP address
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Enable TCP SYN Cookie Protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# Disable ICMP Redirect Acceptance
# Do not send Redirect Messages
# Disable source-routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable bad error message protection
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


# Send packets to the appropriate chains
$IPT -A INPUT -i $LAN_IF -j LAN_IN
$IPT -A INPUT -j BADSTUFF
$IPT -A INPUT -j STATE


#########################
# nat table
#########################

# SNAT packets destined for the internet 
$IPT -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# Redirect ssh to another host inside the lan (uncommented if needed)
#$IPT -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 22 -j DNAT --to-destination <add_ip:port here>

#########################
# OUTPUT chain
#########################

# Drop invalid packets trying to leave this box
# Allow all other packets destined to the LAN from this box
$IPT -A OUTPUT -o $EXT_IF -m state --state INVALID -j DROP
$IPT -A OUTPUT -o $LAN_IF -j ACCEPT

# Do not send ICMP type 11 (time-exceeded) packets - this system will 
# not willfully participate in traceroute-enabled netmapping
# Allow everything else out
$IPT -A OUTPUT -o $EXT_IF -p icmp --icmp-type time-exceeded -j DROP
$IPT -A OUTPUT -o $EXT_IF -p all -j ACCEPT


#########################
# BADSTUFF chain
#########################

# Drop packets that are likely to be stealth scans
#   ** first set of tcp-flags sets criteria, second set sets match
$IPT -A BADSTUFF -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A BADSTUFF -p tcp --tcp-flags ACK,URG URG -j DROP

# Drop packets from the internet that claim to be from a private network
# or from the loopback range
# Drop malformed broadcast packets 
# Drop packets from Class D Multicast addresses
# Drop packets from Class E Reserved IP addresses
$IPT -A BADSTUFF -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 127.0.0.0/8 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 255.255.255.255 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 0.0.0.0 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 224.0.0.0/8 -j DROP
$IPT -A BADSTUFF -i $EXT_IF -s 240.0.0.0/8 -j DROP


#########################
# LAN_IN chain
#########################

# Allow packets of established connections and those related to them
# Allow incoming ssh from local network
# Allow incoming pings from local network  
# Reject everything else from local network
$IPT -A LAN_IN -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A LAN_IN -p tcp -s $LOCALNET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPT -A LAN_IN -s $LOCALNET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A LAN_IN -j REJECT


#########################
# STATE chain
#########################

# Drop packets with invalid state flags
# Accept packets that are part of established connections
# or are related to established connections
$IPT -A STATE -m state --state INVALID -j DROP
$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT


########################
# FORWARD chain
########################


# INCOMING STUFF FROM THE INTERNET

# Allow established/related
$IPT -A FORWARD -j STATE

# If you forwarded ssh connections to a box inside the lan earlier,
# you'll need to edit and uncomment this rule
#$IPT -A FORWARD -i $EXT_IF -o $LAN_IF -d <destination_ip_inside_lan> --dport 22 -j ACCEPT 


# OUTGOING STUFF FROM LAN BOXES

# Do not allow outgoing connection attempts to NFS, SOCKS, OpenWindows, squid, samba/cifs
# Do not allow ICMP time-exceeded messages to be forwarded outside of the local network
# Everything else can pass
$IPT -A FORWARD -o $EXT_IF -p tcp -m multiport --dports 2049,1080,2000,3128,137,138,139,445 --syn -j REJECT
$IPT -A FORWARD -o $EXT_IF -p icmp --icmp-type time-exceeded -j DROP
$IPT -A FORWARD -o $EXT_IF -j ACCEPT


###############################################################################
# Turn on packet forwarding in the kernel
# now that all chains are populated
echo 1 > /proc/sys/net/ipv4/ip_forward
##############################################################################

echo "Firewall rules are in place and active..."
echo ""