#! /bin/bash

IPTABLES="/sbin/iptables"

EXTERNAL_IF_1="eth0"
EXTERNAL_IP_1=$(/sbin/ifconfig | sed '2!d;s/^[ ^t]*inet addr://;s/[ ^t].*//')
echo -e "External IP 1 = $EXTERNAL_IP_1"

INTERNAL_IF_1="eth1"
INTERNAL_NET_1="192.168.0.0/24"
INTERNAL_IP_1="192.168.0.1/24"

ANYWHERE="0.0.0.0/0"

echo -e "Executing custom script /etc/init.d/firewall."

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

echo -e "Flushing chains."
# flush chains
$IPTABLES -F 
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD ACCEPT

echo -e "Deleting custom chains."
# delete all custom chains
$IPTABLES -X

echo -e "Setting counters to zero."
# zero all counters
$IPTABLES -Z

echo -e "Creating user chains."
# create a worrying chain
$IPTABLES -N worry


echo -e "Creating an adbust chain."
# create an ad-bust chain
$IPTABLES -N adbust

echo -e "Configuring port forwarding."
echo -e "Forwarding traffic to ports 20, 21, 23, 24, 80, 81, 443."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i $EXTERNAL_IF_1 -j DNAT --to 192.168.0.2:80
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 81 -j DNAT --to 192.168.0.3:80
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 20 -j DNAT --to 192.168.0.2:20
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 21 -j DNAT --to 192.168.0.2:21
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 23 -j DNAT --to 192.168.0.2:22
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 24 -j DNAT --to 192.168.0.3:22
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 25 -j DNAT --to 192.168.0.5:22
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 443 -j DNAT --to 192.168.0.2:443
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 27500 -j DNAT --to 192.168.0.2:27500
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 27501 -j DNAT --to 192.168.0.2:27501
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 27502 -j DNAT --to 192.168.0.2:27502
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 27910 -j DNAT --to 192.168.0.2:27910
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 27911 -j DNAT --to 192.168.0.2:27911
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 27960 -j DNAT --to 192.168.0.2:27960
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 27961 -j DNAT --to 192.168.0.2:27961
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 27962 -j DNAT --to 192.168.0.2:27962
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF_1 -p tcp -d $EXTERNAL_IP_1 --dport 6667 -j DNAT --to 192.168.0.2:6667

echo -e
echo -e "Configuring input chain."
# === INPUT ===
#echo -e "Denying UDP, except DNS."
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -j LOG
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p UDP --dport 42 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p UDP --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p UDP --dport :1024 -j DROP

echo -e "Allowing loopback."
# allow loopback
$IPTABLES -A INPUT -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT

echo -e "Allowing all traffic from eth1."
# allow all from eth1
$IPTABLES -A INPUT -i $INTERNAL_IF_1 -s $INTERNAL_NET_1 -d $ANYWHERE -j ACCEPT

echo -e "Trapping spoofs on eth0." 
# catch spoofs on eth0
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -s $INTERNAL_NET_1 -d $ANYWHERE -j worry

echo -e "Allowing ICMP."
# allow ICMP
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p ICMP -s $ANYWHERE -d $EXTERNAL_IP_1 -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP --dport 25 -j DROP

# deny xwindows traffic from eth0
#/sbin/ipchains -A input -i eth0 -d 0/0 6000:6010 -p TCP -j DENY
#/sbin/ipchains -A input -i eth0 -d 0/0 6000:6010 -p UDP -j DENY

echo -e "Accepting traffic for DHCP, NTP, NNTP, FTP and SSH."
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport 123 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport 20:24 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport 80:81 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport 119 -j ACCEPT

#echo -e "Dropping other traffic to ports < 1024, monitor worm"
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport 135 -j worry
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport 139 -j worry
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport 445 -j worry
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -p TCP -s $ANYWHERE -d $EXTERNAL_IP_1 --dport :1024 -j DROP

echo -e "Allowing traffic to the correct IP."
# allow all else
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -s $ANYWHERE -d $EXTERNAL_IP_1 -j ACCEPT

echo -e "Allowing all traffic on established connections."
$IPTABLES -A INPUT -i $EXTERNAL_IF_1 -s $ANYWHERE -d $EXTERNAL_IP_1 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo -e
echo -e "Configuring output chain."
# === OUTPUT ===
# loopback okay
$IPTABLES -A OUTPUT -o lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT

# anything on internal interface okay
$IPTABLES -A OUTPUT -o $INTERNAL_IF_1 -d $INTERNAL_NET_1 -j ACCEPT

# log broken routing
$IPTABLES -A OUTPUT -o $EXTERNAL_IF_1 -d $INTERNAL_NET_1 -j worry

# send web requests through ad filter
$IPTABLES -A OUTPUT -o $EXTERNAL_IF_1 -p tcp --syn --destination-port 80 -j adbust

# i myself have all the rest
$IPTABLES -A OUTPUT -o $EXTERNAL_IF_1 -s $EXTERNAL_IP_1 -d $ANYWHERE -j ACCEPT

# nabbed
#$IPTABLES -A OUTPUT -s $ANYWHERE -d $ANYWHERE -j worry


echo -e
echo -e "Configuring forward chain."
# === FORWARD ===

$IPTABLES -A FORWARD -i $EXTERNAL_IF_1 -o $INTERNAL_IF_1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_IF_1 -o $EXTERNAL_IF_1 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_IF_1 -j MASQUERADE

echo -e
echo -e "Configuring adbust chain."
# === ADBUST ===
$IPTABLES -A adbust -d 199.95.207.0/24 -j REJECT
$IPTABLES -A adbust -d 199.95.208.0/24 -j REJECT
$IPTABLES -A adbust -d 64.95.65.108/24 -j REJECT
$IPTABLES -A adbust -d 209.225.0.6/24 -j REJECT
$IPTABLES -A adbust -d 212.62.17.142/24 -j REJECT
$IPTABLES -A adbust -d 208.184.29.130/24 -j REJECT
$IPTABLES -A adbust -d 206.65.183.40/24 -j REJECT
$IPTABLES -A adbust -d 63.161.87.107/29 -j REJECT
$IPTABLES -A adbust -d 194.126.131.100/24 -j REJECT
$IPTABLES -A adbust -d 209.105.36.190/24 -j REJECT

#kill macromedia crap from 192.168.0.3
$IPTABLES -A adbust -s 192.168.0.3 -d 65.57.83.12 -j REJECT

echo -e
echo -e "Configuring worry chain."
# === worry ===
$IPTABLES -A worry -j LOG --log-level info
$IPTABLES -A worry -j DROP


# minimum delay for web

# max throughput for ftp, pop3, nntp