#!/bin/sh -x

# /etc/firewall -- invoke this script from /etc/rc.d/init.d/network
# 1.00 erco 07/??/00

#echo --- FIREWALLING DISABLED ---
#exit 0

# LOCAL NETWORK
 LOCALIP="192.168.0.3"          # firewall ip address
LOCALNET="192.168.0.0/24"       # local net's ip address range
IPCHAINS=/sbin/ipchains

# CLEAR ALL CHAINS
$IPCHAINS -F

# DENY ALL FORWARDING BY DEFAULT
$IPCHAINS -P forward DENY

# ENABLE MASQUERADE FOR 192.168.0.* -> Internet
#     Note: only masq internet bound packets from our local net 
#
$IPCHAINS -A forward -j MASQ -s $LOCALNET -d ! $LOCALNET

## RESTRICTIONS ON PACKETS COMING IN FROM PPP0
##    2) Create a chain called 'ppp-in'
##    3) Redirect flow of input traffic from ppp0 to ppp-in
##    5) Disallow spoofing of internal network ips (log all attempts!)
##    4) Allow specific protocols thru
##    :) :
##    n) Deny all else
##
## NOTE: TOS (Type Of Service) bits:
##           '-t 0x01 0x10' increases efficiency for tcp telnet-like protocols
##           '-t 0x01 0x08' increases efficiency for tcp data transmission protocols
##      For these to work, have CONFIG_IP_ROUTE_TOS enabled in kernel.

#
$IPCHAINS -N ppp-in                                                             # CREATE PPP-IN CHAIN
$IPCHAINS -A input -i ppp0 -j ppp-in 2> /dev/null                               # PPP0 -> PPP-IN
$IPCHAINS -A ppp-in -s $LOCALNET -j DENY -l                                     # NO SPOOFING

$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 ftp      -j ACCEPT -t 0x01 0x10
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 ftp-data -j ACCEPT -t 0x01 0x08
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 telnet   -j ACCEPT -t 0x01 0x10
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 www      -j ACCEPT -t 0x01 0x10
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 https    -j ACCEPT -t 0x01 0x10
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 pop-3    -j ACCEPT
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 smtp     -j ACCEPT
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 ssh      -j ACCEPT -t 0x01 0x10
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 domain   -j ACCEPT
$IPCHAINS -A ppp-in -b -p UDP  -d 0.0.0.0/0 domain   -j ACCEPT
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 time     -j ACCEPT
$IPCHAINS -A ppp-in -b -p UDP  -d 0.0.0.0/0 time     -j ACCEPT
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 43       -j ACCEPT                  # WHOIS
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 113      -j ACCEPT                  # IDENT
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 119      -j ACCEPT -t 0x01 0x08     # NNTP/NEWS
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 554      -j ACCEPT                  # REALAUDIO
$IPCHAINS -A ppp-in -b -p UDP  -d 0.0.0.0/0 554      -j ACCEPT                  # REALAUDIO
$IPCHAINS -A ppp-in -b -p TCP  -d 0.0.0.0/0 7070     -j ACCEPT                  # REALAUDIO
$IPCHAINS -A ppp-in -b -p UDP  -d 0.0.0.0/0 7070     -j ACCEPT                  # REALAUDIO
$IPCHAINS -A ppp-in -b -p ICMP -d 0.0.0.0/0          -j ACCEPT                  # PING, ETC
$IPCHAINS -A ppp-in            -d 0.0.0.0/0          -j DENY -l                 # DENY ALL ELSE

# ENABLE PACKET FORWARDING
#     Based on the above rules, of course.
#
echo 1 > /proc/sys/net/ipv4/ip_forward

# ENABLE FTP PROXY
/sbin/insmod ip_masq_ftp