source: genesis/tools/firewall@ 3529

#! /bin/bash 
# -x
#
#

if [ "$1" != "-n" ]
then
  /bin/bash -n $0 $* || exit 1   # Check op Syntax errors!
fi
#echo Syntax $0 OK!

. /etc/wireless.conf.sh

ic='/sbin/ipchains'
nm='/usr/local/bin/netmask'

echo 0 > /proc/sys/net/ipv4/ip_forward  

PATH="/sbin:/usr/sbin:/usr/local/sbin/:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/lib/java/bin:/usr/games/bin:/usr/games:/opt/gnome/bin:/opt/kde/bin:/usr/openwin/bin";

gw=`route -n |grep '^0.0.0.0'|tr -s ' '`

if [ "$gw" != "" ]
then
 gw_if=`echo $gw|cut -d ' ' -f 8`       # gw. dev.
 def_gw=`echo $gw|cut -d ' ' -f 2`      # def. gw 
else  
  gw_if=eth0
  def_gw=99.99.99.99
   
fi
 gwif_ip=`$nm $gw_if i`
 good_net=`$nm $gw_if m`


wifs=`/sbin/ifconfig|cut -d ' ' -f 1|grep -v '^$'|grep -v $gw_if|grep -v lo`
wifs_major=`/sbin/ifconfig|cut -d ' ' -f 1|grep -v '^$'|grep -v $gw_if|grep -v lo|grep -v ':'`

wif_ip=`$nm wlan0 i`
wnet=172.16.0.0/12

tports='22 37 53 80 3128'       # ssh,time,domain,http,squid
uports='53 3130'                # domain,squid

modprobe ipchains


in="$ic -A input"
out="$ic -A output"
fw="$ic -A forward"

#modprobe ip_masq_autofw
#modprobe ip_masq_cuseeme
#modprobe ip_masq_ftp
#modprobe ip_masq_irc
#modprobe ip_masq_mfw
#modprobe ip_masq_portfw
#modprobe ip_masq_quake
#modprobe ip_masq_raudio
#modprobe ip_masq_user
#modprobe ip_masq_vdolive

$ic -F  input
$ic -F  output
$ic -F  forward


echo Default policy

$ic -P  input  REJECT
$ic -P  output ACCEPT
$ic -P  forward  DENY  # pings return 

$ic -X

######### Incoming

echo Incoming

$in -i lo -j ACCEPT

$in -s 0.0.0.0/0 bootpc -d 255.255.255.255 bootps  -p udp -j ACCEPT # DHCP op broadcast
$in -s 0.0.0.0/0 bootpc -d 255.255.255.255 bootps  -p tcp -j ACCEPT # DHCP op broadcast

$in -d 224.0.0.5 -p 89 -j ACCEPT  # OSPF
$in -d 224.0.0.6 -p 89 -j ACCEPT  # OSPF
$in -d 224.0.0.5 -p 2 -j ACCEPT  # OSPF
$in -d 224.0.0.6 -p 2 -j ACCEPT  # OSPF

for if in $wifs_major
do
  ip=`$nm $if i`
  $in -s 0.0.0.0/0 bootpc -d $ip bootps -i $if  -p udp -j ACCEPT # DHCP op eigen ip
  $in -s 0.0.0.0/0 bootpc -d $ip bootps -i $if  -p tcp -j ACCEPT # DHCP op eigen ip
  $in -s ! $wnet -i $if -j DENY -l       # Spoofing; alleen wnet ip wifs.
done

for p in $tports
do
  $in -d $gwif_ip $p -p tcp -j ACCEPT   # tports op gwif_ip
  $in -d $wif_ip  $p -p tcp -j ACCEPT   # tports op wif_ip
done

for p in $uports
do
  $in -d $gwif_ip $p -p udp -j ACCEPT   # uports op gwif_ip
  $in -d $wif_ip  $p -p udp -j ACCEPT   # uports op wif_ip
done


$in -d $good_net -s $wnet ! -y -p tcp -j ACCEPT  # established sessions

$in -d $gwif_ip ! -y -p tcp -j ACCEPT            # established sessions
for if in $wifs
do
   ip=`$nm $if i`
   $in -d $ip -s $wnet ! -y -p tcp -j ACCEPT  # established sessions
done


for if in $wifs $gw_if
do
  ip=`$nm $if i`

  $in -d $ip 53 -p udp -j ACCEPT                # named wel, 
  $in -d $ip --sport 53 -p udp -j ACCEPT        # named wel.
  # Want named source adres wordt door named gekozen afhankelijk van de if.

  $in -d $ip -p icmp -j ACCEPT                  # icmp wel.

  $in -d $ip -p 89 -j ACCEPT  # OSPF
  $in -d $ip -p 2 -j ACCEPT  # OSPF

  $in -d $ip -j REJECT -l # Vangnet
done

$in -d $wnet -j ACCEPT                           # dst wireless=okay

if [ "$gw_open" != "open" ]
then
  for if in $wifs_major
  do
        $in -d ! $good_net -s $wnet -i $if -j ACCEPT  # wel naar Internet, niet naar goodnet.
  done
fi

#$in --dport 137:139 -j REJECT # Netbios
$in -j REJECT -l # vangnet

######### Forward

echo forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward  

$fw -d $gwif_ip ! -y -p tcp -j ACCEPT            # established sessions
for if in $wifs
do
   ip=`$nm $if i`
   $fw -d $ip -s $wnet ! -y -p tcp -j ACCEPT  # established sessions
done

$fw -s $good_net -d $wnet -j MASQ       # dst wireless=okay

if [ "$gw_open" != "open" ]
then
 $fw -d ! $good_net -i $gw_if -j MASQ   # naar Internet = okay
fi

$fw -j REJECT -l # vangnet


#########


#ipchains -nxvL