# may not be bash/bourne
# Linux FW iptables rules for Home Users; pmateti feb 27, 2001
# usage: source /etc/rc.firewall

# keep PATH during tests
export PATH="/bin:/sbin:/usr/bin;/usr/sbin"
no_exit_on_failed_exec=yes

# insert the modules we need from netfilter
insmod /lib/modules/ip_tables.o
insmod /lib/modules/ip_conntrack.o
insmod /lib/modules/ip_conntrack_ftp.o
insmod /lib/modules/iptable_nat.o
insmod /lib/modules/ip_nat_ftp.o
insmod /lib/modules/ipt_LOG.o
insmod /lib/modules/ipt_mac ipt_state.o

iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD

# drop everything until firewall setup is complete
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -t nat --policy PREROUTING DROP
iptables -t nat --policy POSTROUTING DROP

# home host behind the fw is masqueraded; delete first then add
iptables -D POSTROUTING -t nat -s $INTNET -j MASQUERADE
iptables -A POSTROUTING -t nat -s $INTNET -j MASQUERADE

# target for logging and dropping packets
iptables --new logdrop
iptables -A logdrop -m limit -j LOG --log-level 5 --log-prefix "DROP "
iptables -A logdrop -j DROP

# log and accept
iptables --new logacc
iptables -A logacc -m limit -j LOG --log-level 4 --log-prefix "ACCEPT "
iptables -A logacc -j ACCEPT

# source must not be a private address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 255.255.255.255/32 -j DROP

# at the inside nic (eth1), allow only our address as source
iptables -A FORWARD -i eth1 -s ! $INTNET -j DROP

# XMAS packets
iptables -A INPUT   -p tcp --tcp-flags ALL ALL -j logdrop
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j logdrop

# NULL packets
iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j logdrop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j logdrop

# services that should not leave the LAN
iptables -A FORWARD -p tcp --dport 136:140 -j DROP
iptables -A FORWARD -p tcp --dport 512:515 -j DROP
iptables -A FORWARD -m multiport -p tcp --sport 111,113,635,2049 -j DROP
iptables -A FORWARD -m multiport -p udp --sport 111,113,635,2049 -j DROP
iptables -A FORWARD -p tcp --dport 5899:5911 -j DROP
iptables -A FORWARD -p tcp --dport 5999:6011 -j DROP
iptables -A FORWARD -p tcp --dport 5999:6011 -j DROP

# allow DNS traffic
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A INPUT   -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT  -p udp --dport 53 -j ACCEPT

# Allow ssh 
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

# from pinger, we can ssh to the firewall
iptables -A INPUT  -i eth0 -s $PINGER -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -d $PINGER -p tcp --dport 22 -j ACCEPT

# no initiation of services on privileged ports
iptables -A INPUT -p tcp --syn --dport :1023 -j DROP

# connections to permitted dest ports
iptables -A FORWARD -m multiport -p tcp --dport $TCPOUT --syn -j ACCEPT

# mail
iptables -A FORWARD -p tcp --syn -s $SMTP --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 ! --tcp-flags SYN,ACK ACK -j ACCEPT
iptables -A FORWARD -p tcp -s $INTNET --sport 25 ! --tcp-flags SYN,ACK ACK -j ACCEPT

# drop and log every other incoming tcp connection attempts
iptables -A FORWARD -p tcp --syn --j logdrop

iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# icmp policies
iptables --new ICMP
iptables -A INPUT -p icmp -j ICMP

# our pinger is allowed to ping us; we can ping the internet
iptables -A ICMP -s $PINGER -p icmp --icmp-type echo-request -j logacc
iptables -A ICMP -p icmp -i eth1 -d 0/0 --icmp-type echo-request -j ACCEPT
iptables -A ICMP -p icmp -i eth1 -d 0/0 --icmp-type echo-reply -j ACCEPT

iptables -A ICMP -p icmp --icmp-type echo-request                 -j DROP
iptables -A ICMP -p icmp --icmp-type echo-reply                   -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable      -j ACCEPT
iptables -A ICMP -p icmp --icmp-type   network-unreachable        -j ACCEPT
iptables -A ICMP -p icmp --icmp-type   host-unreachable           -j ACCEPT
iptables -A ICMP -p icmp --icmp-type   protocol-unreachable       -j ACCEPT
iptables -A ICMP -p icmp --icmp-type   port-unreachable           -j ACCEPT
iptables -A ICMP -p icmp --icmp-type   fragmentation-needed       -j logdrop 
iptables -A ICMP -p icmp --icmp-type   source-route-failed        -j logacc 
iptables -A ICMP -p icmp --icmp-type   network-unknown            -j ACCEPT
iptables -A ICMP -p icmp --icmp-type   host-unknown               -j ACCEPT
iptables -A ICMP -p icmp --icmp-type   network-prohibited         -j logacc 
iptables -A ICMP -p icmp --icmp-type   host-prohibited            -j logacc
iptables -A ICMP -p icmp --icmp-type   TOS-network-unreachable    -j logacc
iptables -A ICMP -p icmp --icmp-type   TOS-host-unreachable       -j logacc
iptables -A ICMP -p icmp --icmp-type   communication-prohibited   -j logacc 
iptables -A ICMP -p icmp --icmp-type   host-precedence-violation  -j logdrop   
iptables -A ICMP -p icmp --icmp-type   precedence-cutoff          -j logdrop   
iptables -A ICMP -p icmp --icmp-type source-quench                -j logdrop   
iptables -A ICMP -p icmp --icmp-type redirect                     -j logdrop   
iptables -A ICMP -p icmp --icmp-type   network-redirect           -j logdrop   
iptables -A ICMP -p icmp --icmp-type   host-redirect              -j logdrop   
iptables -A ICMP -p icmp --icmp-type   TOS-network-redirect       -j logdrop   
iptables -A ICMP -p icmp --icmp-type   TOS-host-redirect          -j logdrop   
iptables -A ICMP -p icmp --icmp-type router-advertisement         -j DROP   
iptables -A ICMP -p icmp --icmp-type router-solicitation          -j DROP   
iptables -A ICMP -p icmp --icmp-type time-exceeded                -j ACCEPT
iptables -A ICMP -p icmp --icmp-type   ttl-zero-during-transit    -j logacc 
iptables -A ICMP -p icmp --icmp-type   ttl-zero-during-reassembly -j logacc 
iptables -A ICMP -p icmp --icmp-type parameter-problem            -j logacc 
iptables -A ICMP -p icmp --icmp-type   ip-header-bad              -j logacc 
iptables -A ICMP -p icmp --icmp-type   required-option-missing    -j logacc 
iptables -A ICMP -p icmp --icmp-type timestamp-request            -j DROP   
iptables -A ICMP -p icmp --icmp-type timestamp-reply              -j DROP   
iptables -A ICMP -p icmp --icmp-type address-mask-request         -j DROP   
iptables -A ICMP -p icmp --icmp-type address-mask-reply           -j DROP   
iptables -A ICMP -p icmp -j DROP   

# final default policies 
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
iptables --policy INPUT DROP

mkdir -p /var/log
iptables -L -n > /var/log/iptables.txt
# should we syslog this?

# -eof-