#!/bin/sh
# rc.DMZ running on the packet filter box

PATH="/sbin:/usr/sbin:/bin"

EXT="130.108.127.1"
INT="192.168.17.1"
DMZ="130.108.17.250"
MAIL="130.108.17.228"
DNS="130.108.17.229"
WWW="130.108.17.230"

depmod -a
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state

iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat --policy PREROUTING DROP
iptables -t nat --policy POSTROUTING DROP

ifconfig eth0 $EXT
ifconfig eth1 $INT
ifconfig eth2 $DMZ

echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

iptables -N allowed
iptables -N badpkts
iptables -N icmpchain

iptables -A badpkts -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A badpkts -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPT New no syn"
iptables -A badpkts -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT   -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

# no initiation of services on privileged ports
iptables -A INPUT -p tcp --syn --dport :1023 -j DROP

iptables -A INPUT -p ICMP -i eth0 -j icmpchain
iptables -A INPUT -p ALL -i eth1 -d $INT -j ACCEPT
iptables -A INPUT -p UDP -i eth1 --dport 67 --sport 68 -j ACCEPT
iptables -A INPUT -p ALL -i eth2 -d $DMZ -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -d 255.255.255.255 --dport 67:68 -j DROP
iptables -A INPUT -p UDP -i eth0 -d 255.255.255.255 --dport 135:139 -j DROP
iptables -A INPUT -i eth0 -d 224.0.0.0/8 -j DROP
iptables -A INPUT -p ALL -d $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT pkt drop "
iptables -A INPUT -p tcp -j badpkts

# Allow ssh 
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

# source must not be a private address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 255.255.255.255/32 -j DROP

# services that should not leave the LAN
iptables -A FORWARD -p tcp --dport 136:140 -j DROP
iptables -A FORWARD -p tcp --dport 512:515 -j DROP
iptables -A FORWARD -m multiport -p tcp --sport 111,113,635,2049 -j DROP
iptables -A FORWARD -m multiport -p udp --sport 111,113,635,2049 -j DROP
iptables -A FORWARD -p tcp --dport 5899:5911 -j DROP
iptables -A FORWARD -p tcp --dport 5999:6011 -j DROP
iptables -A FORWARD -p tcp --dport 5999:6011 -j DROP

iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth2 -d $WWW --dport 80 -j allowed
iptables -A FORWARD -p ICMP -i eth0 -o eth2 -d $WWW -j icmpchain
iptables -A FORWARD -p TCP -i eth0 -o eth2 -d $DNS --dport 53 -j allowed
iptables -A FORWARD -p UDP -i eth0 -o eth2 -d $DNS --dport 53 -j ACCEPT
iptables -A FORWARD -p ICMP -i eth0 -o eth2 -d $DNS -j icmpchain
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD pkt drop "
iptables -A FORWARD -p tcp -j badpkts

iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s $INT -j ACCEPT
iptables -A OUTPUT -p ALL -s $EXT -j ACCEPT
iptables -A OUTPUT -p ALL -s $DMZ -j ACCEPT
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT pkt drop "
iptables -A OUTPUT -p tcp -j badpkts

iptables -t nat -A PREROUTING -p TCP -i eth0 -d $EXT --dport 80 -j DNAT --to-destination $WWW
iptables -t nat -A PREROUTING -p TCP -i eth0 -d $EXT --dport 53 -j DNAT --to-destination $DNS
iptables -t nat -A PREROUTING -p UDP -i eth0 -d $EXT --dport 53 -j DNAT --to-destination $DNS
iptables -t nat -A PREROUTING -p UDP -i eth0 -d $EXT --dport 25 -j DNAT --to-destination $MAIL

iptables -A icmpchain -p icmp --icmp-type echo-request -j DROP
iptables -A icmpchain -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type network-unreachable -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type host-unreachable -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type protocol-unreachable -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type fragmentation-needed -j DROP 
iptables -A icmpchain -p icmp --icmp-type source-route-failed -j ACCEPT 
iptables -A icmpchain -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type host-unknown -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type network-prohibited -j ACCEPT 
iptables -A icmpchain -p icmp --icmp-type host-prohibited -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type TOS-network-unreachable -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type communication-prohibited -j ACCEPT 
iptables -A icmpchain -p icmp --icmp-type host-precedence-violation -j DROP   
iptables -A icmpchain -p icmp --icmp-type precedence-cutoff -j DROP   
iptables -A icmpchain -p icmp --icmp-type source-quench -j DROP   
iptables -A icmpchain -p icmp --icmp-type redirect -j DROP   
iptables -A icmpchain -p icmp --icmp-type network-redirect -j DROP   
iptables -A icmpchain -p icmp --icmp-type host-redirect -j DROP   
iptables -A icmpchain -p icmp --icmp-type TOS-network-redirect -j DROP   
iptables -A icmpchain -p icmp --icmp-type TOS-host-redirect -j DROP   
iptables -A icmpchain -p icmp --icmp-type router-advertisement -j DROP   
iptables -A icmpchain -p icmp --icmp-type router-solicitation -j DROP   
iptables -A icmpchain -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmpchain -p icmp --icmp-type ttl-zero-during-transit -j ACCEPT 
iptables -A icmpchain -p icmp --icmp-type ttl-zero-during-reassembly -j ACCEPT 
iptables -A icmpchain -p icmp --icmp-type parameter-problem -j ACCEPT 
iptables -A icmpchain -p icmp --icmp-type ip-header-bad -j ACCEPT 
iptables -A icmpchain -p icmp --icmp-type required-option-missing -j ACCEPT 
iptables -A icmpchain -p icmp --icmp-type timestamp-request -j DROP   
iptables -A icmpchain -p icmp --icmp-type timestamp-reply -j DROP   
iptables -A icmpchain -p icmp --icmp-type address-mask-request -j DROP   
iptables -A icmpchain -p icmp --icmp-type address-mask-reply -j DROP   
iptables -A icmpchain -p icmp -j DROP   


iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $EXT

# -eof-