#!/bin/sh
#
# iptables script for gateway without vpn.
#

#
# Global configuration.
#
IPTABLES="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"


start() {

#
# 1. Configuration options.
#
# 1.1 Local Area Network configuration.
#
LAN_IP="10.10.10.1"
LAN_IP_RANGE="10.10.10.0/24"
LAN_IFACE="eth0"
LAN_BROADCAST="10.10.10.255"

#
# 1.2 Internet configuration.
#
WAN_IP="172.16.0.10"
WAN_IFACE="eth1"
#WAN_IFACE="ppp+"
WAN_BROADCAST="172.16.0.255"

#
# 1.3 DMZ configuration.
#
DMZ_IP="10.10.20.1"
DMZ_IFACE="eth2"
DMZ_BROADCAST="10.10.20.255"
DMZ_HTTP_IP="10.10.20.10"
DMZ_FTP_IP="10.10.20.20"
DMZ_DNS_IP="10.10.20.30"

#
# 1.4 Management configuration.
#
MNG_IP="10.10.30.1"
MNG_IFACE="eth3"
MNG_BROADCAST="10.10.30.255"

#
# 1.5 Loopback configuration.
#
LO_IP="127.0.0.1"
LO_IFACE="lo"

#
# 2. Module loading.
#
# 2.1 Required modules.
#
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

#
# 2.2 Non-Required modules.
#
#$MODPROBE ip_conntrack_tftp
#$MODPROBE ip_conntrack_irc
#$MODPROBE ip_nat_tftp
#$MODPROBE ip_nat_irc

#
# 3. Filter table.
#
# 3.1 Set default policies.
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 3.2 Drop all fragment packets.
#
#$IPTABLES -A INPUT -f -j LOG --log-prefix "iptables[fragment]:"
$IPTABLES -A INPUT -f -j DROP
#$IPTABLES -A FORWARD -f -j LOG --log-prefix "iptables[fragment]:"
$IPTABLES -A FORWARD -f -j DROP

#
# 3.3 Loopback rules(allow all lookback packets).
#
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT

#
# 3.4 Input rules.
#
# 3.4.1 Allow all established and related packets.
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 3.4.2 Allow ssh for management in LAN and MNG network.
#
$IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport ssh --syn -m state \
	--state NEW -j ACCEPT
$IPTABLES -A INPUT -i $MNG_IFACE -p tcp --dport ssh --syn -m state \
	--state NEW -j ACCEPT

#
# 3.4.3 Allow ping in LAN, DMZ and MNG network.
#
$IPTABLES -A INPUT -i $LAN_IFACE -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $DMZ_IFACE -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $MNG_IFACE -p icmp --icmp-type echo-request -j ACCEPT

#
# 3.4.4 Allow dhcp requests from LAN.
#
#$IPTABLES -A INPUT -i $LAN_IFACE -p udp --sport bootpc \
#	--dport bootps -j ACCEPT

#
# 3.4.5 Allow dns requests from LAN.
#
#$IPTABLES -A INPUT -i $LAN_IFACE -p udp --dport domain -m state \
#	--state NEW -j ACCEPT

#
# 3.4.6 In Microsoft Networks you will be swamped by broadcast. These lines
# will prevent them from showing up in the logs.
#
#$IPTABLES -A INPUT -i $LAN_IFACE -d $LAN_BROADCAST -p udp \
#	--dport 135:139 -j DROP
#$IPTABLES -A INPUT -i $WAN_IFACE -d $WAN_BROADCAST -p udp \
#	--dport 135:139 -j DROP
#$IPTABLES -A INPUT -i $DMZ_IFACE -d $DMZ_BROADCAST -p udp \
#	--dport 135:139 -j DROP
#$IPTABLES -A INPUT -i $MNG_IFACE -d $MNG_BROADCAST -p udp \
#	--dport 135:139 -j DROP

#
# 3.4.7 If we get dhcp request from the outside of our network, our logs
# will be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A INPUT -i $WAN_IFACE -d 255.255.255.255 -p udp \
#	--dport 67:68 -j DROP

#
# 3.4.8 If you have a Microsoft Network on the outside of your firewall,
# you may also get flooded by Multicast. We drop them so we do not get
# flooded by logs.
#
#$IPTABLES -A INPUT -i $WAN_IFACE -d 224.0.0.0/8 -j DROP

#
# 3.4.9 Log rules.
#
#$IPTABLES -A INPUT -j LOG --log-prefix "iptables[input]:"

#
# 3.5 Output rules.
#
# 3.5.1 Allow all established and related packets.
#
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 3.5.2 Allow ftp(21).
#
$IPTABLES -A OUTPUT -p tcp --dport ftp --syn -m state --state NEW -j ACCEPT

#
# 3.5.3 Allow ssh(22).
#
$IPTABLES -A OUTPUT -p tcp --dport ssh --syn -m state --state NEW -j ACCEPT

#
# 3.5.4 Allow smtp(25).
#
$IPTABLES -A OUTPUT -p tcp --dport smtp --syn -m state --state NEW -j ACCEPT

#
# 3.5.5 Allow dns request(53).
#
$IPTABLES -A OUTPUT -p udp --dport domain -m state --state NEW -j ACCEPT

#
# 3.5.6 Allow dhcp request(67).
#
$IPTABLES -A OUTPUT -p udp --dport bootps -m state --state NEW -j ACCEPT

#
# 3.5.7 Allow http(80).
#
$IPTABLES -A OUTPUT -p tcp --dport http --syn -m state --state NEW -j ACCEPT

#
# 3.5.8 Allow https(443).
#
$IPTABLES -A OUTPUT -p tcp --dport https --syn -m state --state NEW -j ACCEPT

#
# 3.5.9 Allow ping.
#
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

#
# 3.5.10 Log rules.
#
#$IPTABLES -A OUTPUT -j LOG --log-prefix "iptables[output]:"

#
# 3.6 Forward rules.
#
# 3.6.1 Allow all established and related packets.
#
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# 3.6.2 LAN --> WAN rules. 
#
# 3.6.2.1 Allow ftp(21).
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p tcp --dport ftp \
#	--syn -m state --state NEW -j ACCEPT

#
# 3.6.2.2 Allow ssh(22).
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p tcp --dport ssh \
#	--syn -m state --state NEW -j ACCEPT

#
# 3.6.2.3 Allow smtp(25).
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p tcp --dport smtp \
#	--syn -m state --state NEW -j ACCEPT

#
# 3.6.2.4 Allow dns request(53).
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p udp --dport domain \
#	-m state --state NEW -j ACCEPT

#
# 3.6.2.5 Allow http(80).
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p tcp --dport http \
#	--syn -m state --state NEW -j ACCEPT

#
# 3.6.2.6 Allow https(443).
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p tcp --dport https \
#	--syn -m state --state NEW -j ACCEPT

#
# 3.6.2.7 Allow ping.
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p icmp \
#	--icmp-type echo-request -j ACCEPT

#
# 3.6.3 LAN --> DMZ rules.
#
# 3.6.3.1 Allow full access.
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state \
#	--state NEW -j ACCEPT

#
# 3.6.4 DMZ <-- WAN rules.
#
# 3.6.4.1 Allow ftp(21).
#
#$IPTABLES -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -p tcp --dport ftp \
#	--syn -m state --state NEW -j ACCEPT

#
# 3.6.4.2 Allow dns request(53).
#
#$IPTABLES -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -p tcp --dport domain \
#	--syn -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -p udp --dport domain \
#	-m state --state NEW -j ACCEPT

#
# 3.6.4.3 Allow http(80).
#
#$IPTABLES -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -p tcp --dport http \
#	--syn -m state --state NEW -j ACCEPT

#
# 3.6.4.4 Allow https(443).
#
#$IPTABLES -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -p tcp --dport https \
#	--syn -m state --state NEW -j ACCEPT

#
# 3.6.5 Log rules.
#
#$IPTABLES -A FORWARD -j LOG --log-prefix "iptables[forward]:"

#
# 4. Nat table.
#
# 4.1 PREROUTING chain.
#
# 4.1.1 Allow ftp(21).
#
#$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport ftp \
#	-j DNAT --to $DMZ_FTP_IP

#
# 4.1.2 Allow dns request(53).
#
#$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport domain \
#	-j DNAT --to $DMZ_DNS_IP
#$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -p udp --dport domain \
#	-j DNAT --to $DMZ_DNS_IP

#
# 4.1.3 Allow http(80).
#
#$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport http \
#	-j DNAT --to $DMZ_HTTP_IP

#
# 4.1.4 Allow https(80).
#
#$IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -p tcp --dport https \
#	-j DNAT --to $DMZ_HTTP_IP

#
# 4.2 POSTROUTING chain.
#
#$IPTABLES -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to $WAN_IP
#$IPTABLES -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

#
# 5. Mangle table.
#

}


resume_all() {

#
# Reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#
# Reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# Reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

}


stop() {

#
# Flush all the rules in the filter table.
#
$IPTABLES -F

#
# Erase all chains that's not default in filter table.
#
$IPTABLES -X

#
# Flush all the rules in the nat table.
#

$IPTABLES -t nat -F

#
# Erase all chains that's not default in nat table.
#

$IPTABLES -t nat -X

#
# Flush all the rules in the mangle table.
#

$IPTABLES -t mangle -F

#
# Erase all chains that's not default in mangle table.
#

$IPTABLES -t mangle -X

}


case "$1" in
'start')
	start
	;;
'stop')
	stop
	resume_all
	;;
'restart')
	stop
	start
	;;
*)
	echo "usage $0 start|stop|restart"
esac