#!/bin/bash
#
# Firewallscript generated by Erik Wegner

echo "firewall start..."
/root/lpt/lpt_client 16 8
 
# Kernelparameter ...
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate
 
# eth0 wird konfiguriert 
if test -x /proc/sys/net/ipv4/conf/eth0 ; then
	echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
	echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_redirects
	echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
	echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
	echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians
fi
 
# eth2 wird konfiguriert 
if test -x /proc/sys/net/ipv4/conf/eth2 ; then
	echo "1" > /proc/sys/net/ipv4/conf/eth2/rp_filter
	echo "0" > /proc/sys/net/ipv4/conf/eth2/accept_redirects
	echo "0" > /proc/sys/net/ipv4/conf/eth2/accept_source_route
	echo "0" > /proc/sys/net/ipv4/conf/eth2/bootp_relay
	echo "1" > /proc/sys/net/ipv4/conf/eth2/log_martians
fi
 
# eth1 wird konfiguriert 
if test -x /proc/sys/net/ipv4/conf/eth1 ; then
	echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter
	echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_redirects
	echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_source_route
	echo "0" > /proc/sys/net/ipv4/conf/eth1/bootp_relay
	echo "1" > /proc/sys/net/ipv4/conf/eth1/log_martians
fi
 
# ppp0 wird konfiguriert 
if test -x /proc/sys/net/ipv4/conf/ppp0 ; then
	echo "1" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
	echo "0" > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
	echo "0" > /proc/sys/net/ipv4/conf/ppp0/accept_source_route
	echo "0" > /proc/sys/net/ipv4/conf/ppp0/bootp_relay
	echo "1" > /proc/sys/net/ipv4/conf/ppp0/log_martians
fi

# default ...
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT DROP
 
# clear ...
/usr/sbin/iptables -F         # alle Ketten lschen (filter)
/usr/sbin/iptables -t nat -F  # alle Ketten lschen (nat)
/usr/sbin/iptables -X         # alle benutzerdef. Ketten lschen (filter)

# Lokal ...
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT

#ssh 192.168.4.0/255.255.255.0 [1024:65535] <-> eth0 [22]
/usr/sbin/iptables -A INPUT -i eth0 -s 192.168.4.0/255.255.255.0 \
	-p TCP --sport 1024:65535 --dport ssh \
	-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.4.0/255.255.255.0 \
	-p TCP --dport 1024:65535 --sport ssh \
	-m state --state ESTABLISHED,RELATED -j ACCEPT

# eigene Ketten ...
/usr/sbin/iptables -N my_drop
/usr/sbin/iptables -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
/usr/sbin/iptables -A my_drop -p UDP  -j LOG --log-prefix "DROP-UDP "
/usr/sbin/iptables -A my_drop -p TCP  -j LOG --log-prefix "DROP-TCP "
/usr/sbin/iptables -A my_drop -j DROP

#Interne Routen
/usr/sbin/iptables -A FORWARD -i eth0 -o eth1 \
	-s 192.168.4.0/24 -d 192.168.41.0/24 -j ACCEPT

/usr/sbin/iptables -A FORWARD -i eth1 -o eth0 \
	-s 192.168.41.0/24 -d 192.168.4.0/24 -j ACCEPT
masq-up <InternalInterface> <ExternalInterface>
e.g.: masq-up eth0 ippp0


## Related, Established ##
/usr/sbin/iptables -A INPUT \
	-m state --state ESTABLISHED,RELATED \
	-j ACCEPT
/usr/sbin/iptables -A OUTPUT \
        -m state --state ESTABLISHED,RELATED \
        -j ACCEPT


## Forward Related, Established (eth0 <-> ppp0)##
/usr/sbin/iptables -A FORWARD -m state \
	--state ESTABLISHED,RELATED \
	-i eth0 -o ppp0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -m state \
        --state ESTABLISHED,RELATED \
        -i ppp0 -o eth0 -j ACCEPT


## Forward Related, Established (eth2 <-> ppp0)##
/usr/sbin/iptables -A FORWARD -m state \
	--state ESTABLISHED,RELATED \
	-i eth2 -o ppp0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -m state \
        --state ESTABLISHED,RELATED \
        -i ppp0 -o eth2 -j ACCEPT


## Proxy auf lokalem Rechner, eth0[192.168.4.0/255.255.255.0] -> [8080] 
/usr/sbin/iptables -A INPUT -m state --state NEW \
	-p TCP -i eth0 -s 192.168.4.0/255.255.255.0 --sport 1024:65535 \
	--dport 8080 -j ACCEPT


## Proxy auf lokalem Rechner, eth2[192.168.41.0/255.255.255.0] -> [8080] 
/usr/sbin/iptables -A INPUT -m state --state NEW \
	-p TCP -i eth2 -s 192.168.41.0/255.255.255.0 --sport 1024:65535 \
	--dport 8080 -j ACCEPT


## Proxy auf entferntem Rechner, [1024:65535] -> ppp0-212.185.251.135[80] 
/usr/sbin/iptables -A OUTPUT -m state --state NEW \
	-p TCP -o ppp0 --sport 1024:65535 \
	--dport 80 -d 212.185.251.135 -j ACCEPT

# ICMP-Output 
/usr/sbin/iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT

# ICMP-Output 
/usr/sbin/iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT


## Domain name server 192.168.4.0/255.255.255.0:1024:65535 -> 53 ##
/usr/sbin/iptables -A INPUT -p UDP -m state --state NEW \
	--sport 1024:65535 -s 192.168.4.0/255.255.255.0 -i eth0 \
	--dport 53 -j ACCEPT
/usr/sbin/iptables -A INPUT -p TCP -m state --state NEW \
        --sport 1024:65535 -s 192.168.4.0/255.255.255.0 -i eth0 \
        --dport 53 -j ACCEPT


## Domain name server 192.168.41.0/255.255.255.0:1024:65535 -> 53 ##
/usr/sbin/iptables -A INPUT -p UDP -m state --state NEW \
	--sport 1024:65535 -s 192.168.41.0/255.255.255.0 -i eth2 \
	--dport 53 -j ACCEPT
/usr/sbin/iptables -A INPUT -p TCP -m state --state NEW \
        --sport 1024:65535 -s 192.168.41.0/255.255.255.0 -i eth2 \
        --dport 53 -j ACCEPT


## Domain name server :1024:65535 -> 53 ##
/usr/sbin/iptables -A OUTPUT -p UDP -m state --state NEW \
	--sport 1024:65535 -o ppp0 \
	--dport 53 -d 212.185.251.136 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p TCP -m state --state NEW \
        --sport 1024:65535 -o ppp0 \
        --dport 53 -d 212.185.251.136 -j ACCEPT


## Domain name server :1024:65535 -> 53 ##
/usr/sbin/iptables -A OUTPUT -p UDP -m state --state NEW \
	--sport 1024:65535 -o ppp0 \
	--dport 53 -d 194.25.2.129 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p TCP -m state --state NEW \
        --sport 1024:65535 -o ppp0 \
        --dport 53 -d 194.25.2.129 -j ACCEPT

# FTP-Forward (control connectio) eth0[1024:65535] -> ppp0[21]
/usr/sbin/iptables -A FORWARD -o ppp0 -i eth0 -m state --state NEW \
	-p TCP --sport 1024:65535 --dport 21 \
	-j ACCEPT

# FTP-Forward (passive data) eth0[1024:65535] -> ppp0[1024:65535]
/usr/sbin/iptables -A FORWARD -o ppp0 -i eth0 -m state --state NEW \
	-p TCP --sport 1024:65535 --dport 1024:65535 \
	-j ACCEPT

# FTP-Forward (control connectio) eth2[1024:65535] -> ppp0[21]
/usr/sbin/iptables -A FORWARD -o ppp0 -i eth2 -m state --state NEW \
	-p TCP --sport 1024:65535 --dport 21 \
	-j ACCEPT

# FTP-Forward (passive data) eth2[1024:65535] -> ppp0[1024:65535]
/usr/sbin/iptables -A FORWARD -o ppp0 -i eth2 -m state --state NEW \
	-p TCP --sport 1024:65535 --dport 1024:65535 \
	-j ACCEPT


## SMTP auf lokalem Rechner, eth0[192.168.4.0/255.255.255.0] -> [25] 
/usr/sbin/iptables -A INPUT -m state --state NEW \
	-p TCP -i eth0 -s 192.168.4.0/255.255.255.0 --sport 1024:65535 \
	--dport 25 -j ACCEPT


## SMTP auf lokalem Rechner, eth2[192.168.41.0/255.255.255.0] -> [25] 
/usr/sbin/iptables -A INPUT -m state --state NEW \
	-p TCP -i eth2 -s 192.168.41.0/255.255.255.0 --sport 1024:65535 \
	--dport 25 -j ACCEPT


## SMTP auf entferntem Rechner, [1024:65535] -> ppp0-194.25.134.94[25] 
/usr/sbin/iptables -A OUTPUT -m state --state NEW \
	-p TCP -o ppp0 --sport 1024:65535 \
	--dport 25 -d 194.25.134.94 -j ACCEPT

# POP3-Forward eth0[1024:65535] -> ppp0[110]
/usr/sbin/iptables -A FORWARD -o ppp0 -i eth0 -m state --state NEW \
	-p TCP --sport 1024:65535 --dport 110 \
	-j ACCEPT

# POP3-Forward eth0[1024:65535] -> ppp0[995]
/usr/sbin/iptables -A FORWARD -o ppp0 -i eth0 -m state --state NEW \
  -p TCP --sport 1024:65535 --dport 995 \
  -j ACCEPT

# POP3-Forward eth2[1024:65535] -> ppp0[110]
/usr/sbin/iptables -A FORWARD -o ppp0 -i eth2 -m state --state NEW \
	-p TCP --sport 1024:65535 --dport 110 \
	-j ACCEPT

# POP3-Forward eth2[1024:65535] -> ppp0[995]
/usr/sbin/iptables -A FORWARD -o ppp0 -i eth2 -m state --state NEW \
  -p TCP --sport 1024:65535 --dport 995 \
  -j ACCEPT

#NTP Server 192.168.4.0/255.255.255.0 [1024:65535] <-> eth0 [123]
/usr/sbin/iptables -A INPUT -i eth0 -p UDP \
	-s 192.168.4.0/255.255.255.0 --sport 1024:65535 --dport 123 \
	-m state --state NEW -j ACCEPT

#NTP Server 192.168.41.0/255.255.255.0 [1024:65535] <-> eth2 [123]
/usr/sbin/iptables -A INPUT -i eth2 -p UDP \
	-s 192.168.41.0/255.255.255.0 --sport 1024:65535 --dport 123 \
	-m state --state NEW -j ACCEPT

# Ausputzer
/usr/sbin/iptables -A INPUT -j my_drop
/usr/sbin/iptables -A FORWARD -j my_drop
/usr/sbin/iptables -A OUTPUT -j my_drop

echo "firewall ready"
/root/lpt/lpt_client 32 8
