#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x

# To install under Redhat : ckconfig --add iptables
# To install under Debian : update-rc.d iptables defaults 21
# chkconfig specific parameters follow
# iptables:
# chkconfig: 2345 82 80
# description: starts or stops netfilter rules

# Marat "Billy" Bilialov, devel @ socket.ru, http://socket.ru/vlan-howto
# Made of script by  Doug Monroe doug @ planetconnect.com, http://www.planetconnect.com/vlan/
# Mar. 22, 2002

LAN_IP="192.168.1.0/16" #   .  16 ,   
#   

LAN_BCAST_ADRESS="192.168.0.255/255.255.0.255" # broadcast  dhcpd.    :)

LAN_IFACE="eth1"

VLAN_IFACE="vlan+" #  vlan"
BROADCAST="255.255.255.255/32" #  dhcp

LO_IFACE="lo"
LO_IP="127.0.0.1/32"

INET_IFACE="eth0"
INET_IP="1.2.3.4" #  

IPTABLES="/sbin/iptables"

case "$1" in
start)
    #  ip_forward
    #
    echo "1" > /proc/sys/net/ipv4/ip_forward

    #
    #    .   INPUT.
    #
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT

    #      
    #
    $IPTABLES -N icmp_packets
    $IPTABLES -N tcp_packets
    $IPTABLES -N udpincoming_packets

    # ICMP
    #
    $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
    $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
    $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
    $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

    # TCP
    #
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT               # SSH
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j ACCEPT              # HTTPS
    $IPTABLES -A tcp_packets -p TCP -s 192.168.0.0/16 --dport 3128 -j ACCEPT  # proxy

    # UDP
    #
    $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT # dns
    $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 67 -j ACCEPT # dhcp server
    #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 68 -j ACCEPT # dhcp client??

    #      
    $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
    $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
    $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP

    #     
    $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
    $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
    $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

    #     
    $IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A INPUT -i $VLAN_IFACE -j ACCEPT
    $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT

    #        
    $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #  -         ,
    # ,  -     ,     
    #$IPTABLES -t nat -A PREROUTING -d 1.2.3.102 -p tcp --dport 80 -j DNAT --to 192.168.2.12
    ;;

stop)
    #   
    echo -n "Flushing all rules ... "
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -t nat -P PREROUTING ACCEPT
    $IPTABLES -t nat -P POSTROUTING ACCEPT
    $IPTABLES -t nat -P OUTPUT ACCEPT
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -X
    $IPTABLES -t nat -X
    echo "done."
    ;;
    
restart)
    $0 stop
    $0 start
    ;;
    
status)
    $IPTABLES -nL
    ;;
*)
    echo "usage: $0 {start|stop|restart|status}"
    exit 1
esac
exit 0

