#! /bin/sh
#
#
# init.d/firewall
#
### BEGIN INIT INFO
# Provides:       firewall
# Required-Start: $network $syslog
# Required-Stop:
# Default-Start:  3 5
# Default-Stop:
# Description:    Starts firewall
### END INIT INFO

. /etc/rc.status
rc_reset

case "$1" in
    start)
	echo -n "Starting firewall "
EXTERNALDEVICE="eth0"
EXTERNALIP="192.168.100.103"
INTERNALDEVICE="eth1"
INTERNALIP="10.3.0.1"
INTERNALBROADCAST="10.3.0.255"
ANYWHERE="0/0"
LOCALHOST="127.0.0.0/8"
USER_IP="10.0.0.0/8"

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -F -t nat

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -j ACCEPT -s $LOCALHOST -d $LOCALHOST

iptables -A INPUT -j LOG -i $EXTERNALDEVICE -s $USER_IP -d $ANYWHERE
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $USER_IP -d $ANYWHERE
iptables -A INPUT -j LOG -i $EXTERNALDEVICE -s $ANYWHERE -d ! $EXTERNALIP
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d ! $EXTERNALIP

iptables -A INPUT -j ACCEPT -i $EXTERNALDEVICE -s 192.168.100.102 -d $EXTERNALIP -p tcp --dport 22

iptables -A INPUT -j ACCEPT -i $EXTERNALDEVICE -s 192.168.100.1 -d $EXTERNALIP -p tcp --dport 22
iptables -A INPUT -j ACCEPT -i $EXTERNALDEVICE -s 192.168.100.1 -d $EXTERNALIP -p udp --dport 123
iptables -A INPUT -j ACCEPT -i $EXTERNALDEVICE -s 192.168.100.101 -d $EXTERNALIP -p udp --dport 500
iptables -A INPUT -j ACCEPT -i $EXTERNALDEVICE -s 192.168.100.102 -d $EXTERNALIP -p udp --dport 500
iptables -A INPUT -j ACCEPT -i $EXTERNALDEVICE -s 192.168.100.101 -d $EXTERNALIP -p 50
iptables -A INPUT -j ACCEPT -i $EXTERNALDEVICE -s 192.168.100.102 -d $EXTERNALIP -p 50

iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 113
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 137:139
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p udp --dport 137:139
iptables -A INPUT -j ACCEPT -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 1024:65535
iptables -A INPUT -j ACCEPT -s $ANYWHERE -d $EXTERNALIP -p udp --dport 1024:65535

iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p icmp
iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p tcp --dport 22
iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p tcp --dport 25
iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p udp --dport 53
iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p tcp --dport 110
iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p udp --dport 123
iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p udp --dport 514
#iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p tcp --dport 3128
iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p tcp --dport 1024:65535
iptables -A INPUT -j ACCEPT -s $USER_IP -d $INTERNALIP -p udp --dport 1024:65535

iptables -A INPUT -j LOG -s $ANYWHERE -d $ANYWHERE
iptables -A INPUT -j DROP -s $ANYWHERE -d $ANYWHERE

iptables -A FORWARD -j ACCEPT -s $LOCALHOST -d $LOCALHOST
iptables -A FORWARD -j ACCEPT -s $USER_IP -d $USER_IP

iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p tcp --dport 137:139
iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p udp --dport 137:139

iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 25
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 109:110
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 143

iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 70
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 80
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 443

iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 22

iptables -A FORWARD -j ACCEPT -s $USER_IP -d $ANYWHERE

iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p tcp --dport 113
iptables -A FORWARD -j LOG -s $ANYWHERE -d $ANYWHERE -p tcp --dport 1:1023
iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p tcp --dport 1:1023
iptables -A FORWARD -j LOG -s $ANYWHERE -d $ANYWHERE -p udp --dport 1:1023
iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p udp --dport 1:1023

iptables -A POSTROUTING -t nat -o $EXTERNALDEVICE -j MASQUERADE

	rc_status -v
	;;
    stop)
	echo -n "Shutting down firewall "

echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -F -t nat

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
	
	rc_status -v
	;;
    try-restart)
	$0 stop  &&  $0 start
	rc_status
	;;
    restart)
	$0 stop
	$0 start
	rc_status
	;;
    force-reload)
	$0 reload
	rc_status
	;;
    reload)
	$0 stop
	$0 start
	rc_status
	;;
    status)
	echo -n "Checking for firewall "
	RETURNCODE=3
	iptables -L | grep loopback >/dev/null 2>/dev/null && RETURNCODE=0
	rc_failed $RETURNCODE
	rc_status -v
	;;
    *)
	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}"
	exit 1
	;;
esac
rc_exit

