#!/bin/sh
echo Activate Firewall rules

# remove the ipchains module if it was ever there
ipchains -F
rmmod ipchains

# Load special iptables modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat

# Subnetmask, you can add more subnets using spaces
subnets="20.0.0.0/24"
# Out local lan subnet
lansubnet="10.0.1."
# Client Servers that want access
cservers="220 221 "
# Dial in IP addresses
cdialin="176 177"
# IT computers
citcomp="171 172"
# Samba poorten
samba_ports="137 138 139"

# Interface and ports to firewall for host
# and ports for the interface we should log which we don't do yet.

adsl="1.0.0.123"
adsl_ports="80 515 6000"
adsl_ports_log="21 22 25 110 123 199 3052 3306 6051"

firewall_adsl()
{
echo firewalling adsl
for ip in $adsl;do
	for port in $adsl_ports;do
	#echo $ip $port
	iptables -A INPUT -d $ip -p TCP --dport $port -j REJECT
	done
	for port in $adsl_ports_log;do
	#echo $ip $port log
	iptables -A INPUT -d $ip -p TCP --dport $port -j LOG
	iptables -A INPUT -d $ip -p TCP --dport $port -j REJECT
	done
done
}

drop_samba_netbios()
{
echo firewalling samba
for subnet in $subnets;do
	echo $subnet
	for port in $samba_ports;do
		echo $subnet $port
		iptables -A INPUT -d $subnet -p TCP,UDP --dport $port -j DROP
	done
done
}

client_nat_conn()
{
echo Setting up nat for clients
for client in $cdialin $citcomp $cservers;do
	#echo $client
	# I setup 2 masquerade routes because we have 2 paths out of the network
	iptables -t nat -A POSTROUTING -s "$lansubnet""$client" -o ppp0 -j MASQUERADE
	iptables -t nat -A POSTROUTING -s "$lansubnet""$client" -o eth0 -j MASQUERADE
done
}

ip_spoof_protect()
{
#IP spoofing get lost!
 #This is the best method: turn on Source Address Verification and get
 # spoof protection on all current and future interfaces.
 if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
 echo -n "Setting up IP spoofing protection..."
 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
 echo 1 > $f
 done
 echo "done."
 else
 echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
 echo "CONTROL-D will exit from this shell and continue system startup."
 echo
 # Start a single user shell on the console
 /sbin/sulogin $CONSOLE
fi
}

flush_rules()
{
echo Flushing Rules
iptables -F
}

ip_spoof_protect
flush_rules
drop_samba_netbios
firewall_adsl
client_nat_conn