#!/bin/sh
# This is the location of the iptables command
IPTABLES="/usr/local/sbin/iptables"
#If the following lines seem to cause trouble, COMMENT OUT FROM THIS LINE
case "$1" in
   stop)
     echo "Shutting down firewall:"
      $IPTABLES -F
      $IPTABLES -P FORWARD DROP
      ;;
   status)
      echo "Status is not supported for firewall"
      ;;
   restart|reload)
      $0 stop
      $0 start
      ;;
   start)
    echo "Starting Firewall:"
#TO HERE.  DON'T FORGET AN ADDITIONAL SECTION AT THE END

# set the following variables to match your network
#The internal "wired" network
INTERNALIF1="eth0" 
#The "wireless" network
INTERNALIF2="eth1"
INTERNALNET1="192.168.0.0/24"
INTERNALNET2="192.168.1.0/24"
INTERNALBCAST1="192.168.0.255"
INTERNALBCAST2="192.168.1.255"
EXTERNALIF1="ppp0"
#For those of you that don't have adelphia's cable modem, you can most
#likely comment out all lines below that have to do with the cm0 interface 
EXTERNALIF2="cm0"

#Only needed for DNAT, else comment out
#MYADDR="1.2.3.4" 


################################################################
#If you have your ipfilter stuff built as modules in your kernel, you will 
#have to uncomment the following lines
#Insert modules- should be done automatically if needed
#dmesg -n 1 #Kill copyright display on module load
#/sbin/modprobe ip_tables
#/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#dmesg -n 6
#
## Flush everything, start from scratch
#
# Incoming packets from the outside network
$IPTABLES -F INPUT
# Outgoing packets from the internal network
$IPTABLES -F OUTPUT
# Forwarding/masquerading
$IPTABLES -F FORWARD

##Setup sysctl controls which affect tcp/ip

#
#Note:  in order for the 1 way cable to work, you have to allow ipspoofing
#If you don't have a cable modem, change this to "echo 1" for added protection
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Defragment all Packets
#Default now

#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps.  These have been the subject of a recent bugtraq thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this.  Comment out if necessary.
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

##Set basic rules
#
#Note that unlike ipchains, rules passing through a FORWARD chain do NOT
#also have to pass through an INPUT chain.

#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options,
#	or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html
#$IPTABLES -A INPUT -m unclean -j DROP
#$IPTABLES -A FORWARD -m unclean -j DROP

#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Allow all connections on the internal interfaces
#

$IPTABLES -A INPUT -i lo -j ACCEPT

#Kill connections to the local interface from the outside world.
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT


#Allow unlimited traffic from internal network using legit addresses
$IPTABLES -A INPUT -i $INTERNALIF1 -s $INTERNALNET1 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNALIF2 -s $INTERNALNET2 -j ACCEPT

#
#Kill anything from outside claiming to be from internal network
$IPTABLES -A INPUT -i $EXTERNALIF2 -s $INTERNALNET1 -j REJECT
$IPTABLES -A INPUT -i $EXTERNALIF2 -s $INTERNALNET2 -j REJECT
$IPTABLES -A INPUT -i $EXTERNALIF1 -s $INTERNALNET1 -j REJECT
$IPTABLES -A INPUT -i $EXTERNALIF1 -s $INTERNALNET2 -j REJECT

##ICMP
#ping don't forward pings going inside
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF1 -j REJECT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF2 -j REJECT
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Deny icmp to broadcast address
$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST1 -j DROP
$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST2 -j DROP

#drop all other icmp
$IPTABLES -A INPUT -p icmp -j DROP

##Allow established connections
#Unlike ipchains, we don't have to go through the business of allowing
#a local port range- just allow all connections already established.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Note that unlike ipchains, the following must be enabled even with masquerading
#Don't forward SMB related traffic
$IPTABLES -A FORWARD -o $EXTERNALIF1 -p tcp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF2 -p tcp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF1 -p tcp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF2 -p tcp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF1 -p tcp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF2 -p tcp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF1 -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF2 -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF1 -p udp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF2 -p udp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF1 -p udp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF2 -p udp --dport 139 -j REJECT

#Drop the incoming "Network Neighborhood" crap so all the windows boxes
#out there don't fill up your log files with requests
$IPTABLES -A INPUT -p udp --dport 137 -j DROP
$IPTABLES -A INPUT -p udp --dport 138 -j DROP
$IPTABLES -A INPUT -p udp --dport 139 -j DROP


#Allow ALL other forwarding going out
$IPTABLES -A FORWARD -o $EXTERNALIF1 -i $INTERNALIF1 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNALIF1 -i $INTERNALIF2 -j ACCEPT

#Allow replies coming in
#BIG NOTE!!  If you are not using the adelphia cable, you need to modify
#the following line to be EXTERNALIF1 NOT EXTERNALIF2
$IPTABLES -A FORWARD -i $EXTERNALIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT


#From here on, we're dealing with connection attempts.
#The -m limit is a DoS protection on connects
#First we allow a certain amount of connections per second
#DROP the rest (so we don't DoS ourself with rejections)
#We don't limit normal packets (!syn) by allowing the rest
##Basic services.  Uncomment to allow in.
# ftp-data
#$IPTABLES -A INPUT -p tcp  --dport 20 -j ACCEPT 
# ftp
#$IPTABLES -A INPUT -p tcp  --dport 21 -j ACCEPT 
# ssh
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#telnet
#$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT 

# smtp  One per second limt -burst rate of ten

#$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 25 -j DROP

# DNS
#$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT 
#$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT 
# finger
#$IPTABLES -A INPUT -p tcp --dport 79 -j ACCEPT
# http
#$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# POP-3
#$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT 
# identd
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
# RPC
#$IPTABLES -A INPUT -p tcp --dport 135 -j ACCEPT
# NetBIOS
#$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
# IMAP
#$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
# https
#$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT 
# MSFTDS
#$IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
#
##DNAT
#Modify addresses and uncomment to allow DNAT (port forwarding)
#Stop anything directly addressing the internal network
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF2 -d $INTERNALNET1 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF2 -d $INTERNALNET2 -j DROP

#Send web requests to an internal machine
#Send mail to an internal machine
#$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 80 \
#                      -j DNAT --to 192.168.0.10:80
#$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.10 --dport 80 -j ACCEPT

#$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 25 \
#                      -j DNAT --to 192.168.0.10:25
#$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.10 --dport 25 -j ACCEPT

##Some ports should be denied and logged.
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \
                                       --log-prefix "Deepthroat scan"
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP

$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \
                                       --log-prefix "Back orifice scan"
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP

$IPTABLES -A INPUT -p tcp --dport 6000  -m limit -j LOG \
                                       --log-prefix "X-Windows Port"
$IPTABLES -A INPUT -p tcp --dport 6000  -j DROP


#Traceroutes depend on finding a rejected port.  DROP the ones it uses

$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP

#Don't log ident because it gets hit all the time eg connecting to an irc server
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT


##Catch all rules.
#Reject
$IPTABLES -A INPUT -p all -j DROP
$IPTABLES -A FORWARD -p all -j REJECT
#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT

#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF1 -j MASQUERADE

#SYSTEMS THAT HAD TO COMMENT OUT BEGINNING OF SCRIPT, COMMENT ALL BELOW
   ;;
   *)
      echo "Useage: firewall (start|stop|restart)"
      exit 1
esac

exit 0