#!/bin/sh
#netfilter chain set

IPTABLES=/usr/local/sbin/iptables
LOGGING=0
#change the shell's default delim. so we can do parsing.
OIFS="$IFS"
IFS=.

WANDEV=eth0
WANADDR=`/sbin/ifconfig $WANDEV | grep 'inet addr:' | awk '{print $2}' | cut -c6-20` set -- $WANADDR A="$1" B="$2" C="$3" D="$4" 
WANNET=$1.$2.$3
WANBCAST=$WANNET.255
WANNET=$WANNET.0/24

INTDEV=br0
INTADDR=`/sbin/ifconfig $INTDEV | grep 'inet addr:' | awk '{print $2}' | cut -c6-20` set -- $INTADDR A="$1" B="$2" C="$3" D="$4" 
INTNET=$1.$2.$3
INTBCAST=$INTNET.255
INTNET=$INTNET.0/24

STATICDEV=br0:0
STATICADDR=`/sbin/ifconfig $STATICDEV | grep 'inet addr:' | awk '{print $2}' | cut -c6-20` set -- $STATICADDR A="$1" B="$2" C="$3" D="$4" 
STATICNET=$1.$2.$3
STATICBCAST=$STATICNET.255
STATICNET=$STATICNET.0/24

#wireless network
AIRODEV=eth3
AIROADDR=`/sbin/ifconfig $AIRODEV | grep 'inet addr:' | awk '{print $2}' | cut -c6-20` set -- $AIROADDR A="$1" B="$2" C="$3" D="$4" 
AIRONET=$1.$2.$3
AIROBCAST=$AIRONET.255
AIRONET=$AIRONET.0/24

PPPDEV=ppp0
PPPSTAT=`/sbin/ifconfig -a | grep $PPPDEV`

if ["$PPPSTAT" = ""]
then
        PPPSTAT="0"
else
        echo "PPP is up"
        PPPSTAT="1"
        PPPADDR=`/sbin/ifconfig $PPPDEV | grep 'inet addr:' | awk '{print $2}' | cut -c6-20` set -- $PPPADDR A="$1" B="$2" C="$3" D="$4" 
        PPPNET=$1.$2.$3
        PPPBCAST=$PPPNET.255
        PPPNET=$PPPNET.0/24
fi

IFS=$OIFS       #reset the IFS environment var.

#################################################
#Flush all filters and NAT tables.
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F OUTPUT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

if ["$LOGGING" -eq 1]
then
$IPTABLES -A FORWARD -j LOG --log-level 7 --log-prefix FORWARD
$IPTABLES -A INPUT -j LOG --log-level 7 --log-prefix INPUT
$IPTABLES -A OUTPUT -j LOG --log-level 7 --log-prefix OUTPUT
$IPTABLES -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix POSTROUTING
$IPTABLES -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix PREROUTING
$IPTABLES -t nat -A OUTPUT -j LOG --log-level 7 --log-prefix OUTPUT-ROUTING
fi


#Turn NAT on.
$IPTABLES -t nat -A POSTROUTING -s $INTNET -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $STATICNET -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $AIRONET -o eth0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $INTNET -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $STATICNET -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $AIRONET -o ppp0 -j MASQUERADE

#Default Policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#INPUT Filter
#drop fragments & invalid packets
$IPTABLES -A INPUT -f -j DROP
$IPTABLES -A INPUT -m state --state INVALID -j DROP

#unclean match target (not stable in NETFILTER package)
$IPTABLES -A INPUT -m unclean -j DROP

#spoofing - drop packets with our address as source, except ICMP
$IPTABLES -A INPUT -s $WANADDR -i $WANDEV -p ! ICMP -j DROP

#smurf attacks - disallow ICMP to our broadcast.
$IPTABLES -A INPUT -p icmp -i $WANDEV -d $WANBCAST -j DROP

#stop syn-flood, ping-o-death, & fast port scanning
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$IPTABLES -A INPUT -i $WANDEV -m limit --limit 1/s -p tcp --tcp-flags ALL RST -m multiport --dports 80,10000 -j ACCEPT
$IPTABLES -A INPUT -i $WANDEV -m limit --limit 1/s -p tcp --tcp-flags ALL FIN -m multiport --dports 80,10000 -j ACCEPT
$IPTABLES -A INPUT -i $WANDEV -m limit --limit 1/s -p tcp --tcp-flags ALL SYN -m multiport --dports 80,10000 -j ACCEPT

#ICMP
$IPTABLES -A INPUT -i $WANDEV -m limit --limit 1/s -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $WANDEV -m limit --limit 1/s -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -i $WANDEV -m limit --limit 1/s -p icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A INPUT -i $WANDEV -m limit --limit 1/s -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -i $WANDEV -m limit --limit 1/s -p icmp --icmp-type 11 -j ACCEPT

#PPP protection, when it's up.
if [ "$PPPSTAT" -eq 1 ]
then
        echo "Configuring PPP interface with IPCHAIN rules."
        $IPTABLES -A INPUT -s $PPPADDR -i $PPPDEV -p ! ICMP -j DROP

        #smurf attacks - disallow ICMP to our broadcast.
        $IPTABLES -A INPUT -p icmp -i $PPPDEV -d $WANBCAST -j DROP

        #stop syn-flood, ping-o-death, & fast port scanning
        $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
        $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
        $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

        $IPTABLES -A INPUT -i $PPPDEV -m limit --limit 1/s -p tcp --tcp-flags ALL RST -m multiport --dports 80,10000 -j ACCEPT
        $IPTABLES -A INPUT -i $PPPDEV -m limit --limit 1/s -p tcp --tcp-flags ALL FIN -m multiport --dports 80,10000 -j ACCEPT
        $IPTABLES -A INPUT -i $PPPDEV -m limit --limit 1/s -p tcp --tcp-flags ALL SYN -m multiport --dports 80,10000 -j ACCEPT

        #ICMP
        $IPTABLES -A INPUT -i $PPPDEV -m limit --limit 1/s -p icmp --icmp-type 0 -j ACCEPT
        $IPTABLES -A INPUT -i $PPPDEV -m limit --limit 1/s -p icmp --icmp-type 3 -j ACCEPT
        $IPTABLES -A INPUT -i $PPPDEV -m limit --limit 1/s -p icmp --icmp-type 4 -j ACCEPT
        $IPTABLES -A INPUT -i $PPPDEV -m limit --limit 1/s -p icmp --icmp-type 8 -j ACCEPT
        $IPTABLES -A INPUT -i $PPPDEV -m limit --limit 1/s -p icmp --icmp-type 11 -j ACCEPT

fi

#Allowing existing connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p ICMP -j ACCEPT

#allow incoming web traffic from WAN & LANs.
$IPTABLES -A INPUT -s 0/0 -p tcp -m multiport --dport 80,10000 -j ACCEPT
$IPTABLES -A INPUT -s 0/0 -p udp -m multiport --dport 80,10000 -j ACCEPT

#allow DNS queries from LAN
$IPTABLES -A INPUT -i $INTDEV -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTDEV -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $AIRODEV -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $AIRODEV -p udp --dport 53 -j ACCEPT

#allow SMB requests from LAN
$IPTABLES -A INPUT -i $INTDEV -p tcp --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -i $INTDEV -p udp --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -i $AIRODEV -p tcp --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -i $AIRODEV -p udp --dport 137:139 -j ACCEPT

#allow from lo
$IPTABLES -A INPUT -i lo -j ACCEPT
###########################################################################
#FORWARD Filter
#all forwards are allowed.

#end rc.nat_firewall