#!/bin/bash

#location of the binary
IPCHAINS="/sbin/ipchains"

#internal network: 192.168.0.1 to 192.168.0.254
LAN="192.168.0.0/24"

#ip address of krypton
SERVER="192.168.0.1"

#the whole internet, don't change
ALL="0.0.0.0/0"
#loopback, don't change
SELF="127.0.0.1"

case "$1" in
start)
  echo "Starting firewall"
  #alle Regeln loeschen
  $IPCHAINS -F

  #input, output sperren, forwarding aktivieren
  $IPCHAINS -P input   REJECT
  $IPCHAINS -P forward MASQ
  $IPCHAINS -P output  REJECT

  ### lo, alles erlauben
  /sbin/ifconfig lo > /dev/null
  if [ $? -eq 0 ]
  then
    echo "   Setting up rules for device lo"
    #dns: redirect requests to port 5353
    $IPCHAINS -A input  -i lo -p tcp -d $SELF    53 -j REDIRECT 5353
    $IPCHAINS -A output -i lo -p tcp -s $SELF    53 -j ACCEPT ! -y
    $IPCHAINS -A input  -i lo -p udp -d $SELF    53 -j REDIRECT 5353
    $IPCHAINS -A output -i lo -p udp -s $SELF    53 -j ACCEPT ! -y

    #http: redirect requests to port 8080
    $IPCHAINS -A input  -i lo -p tcp -d $SELF    80 -j REDIRECT 8080
    $IPCHAINS -A output -i lo -p tcp -s $SELF    80 -j ACCEPT ! -y

    #https: redirect requests to port 8443
    $IPCHAINS -A input  -i lo -p tcp -d $SELF   443 -j REDIRECT 8443
    $IPCHAINS -A output -i lo -p tcp -s $SELF   443 -j ACCEPT ! -y

    #accept all packets from and to loopback device
    $IPCHAINS -A input  -i lo -j ACCEPT
    $IPCHAINS -A output -i lo -j ACCEPT
  fi

  ### eth0
  /sbin/ifconfig eth0 > /dev/null
  if [ $? -eq 0 ]
  then
    echo "   Setting up rules for device eth0"

    #allow all outgoing traffic over eth0
    $IPCHAINS -A output -i eth0 -j ACCEPT

    #icmp
    $IPCHAINS -A input  -i eth0 -p icmp -j ACCEPT

    #ftp, telnet, ssh
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN -d $SERVER 20:23 -j ACCEPT

    #smtp
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN -d $SERVER 25 -j ACCEPT

    #DNS
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN -d $SERVER 53 -j REDIRECT 5353
    $IPCHAINS -A input  -i eth0 -p udp -s $LAN -d $SERVER 53 -j REDIRECT 5353

    #www (redirect local requests to port 8080)
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN   -d $SERVER 80 -j REDIRECT 8080
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN ! -d $LAN 80 -j ACCEPT

    #pop3
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN -d $SERVER 110 -j ACCEPT

    #erlaubt netbios (ns, dgm, ssn)
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN -d $SERVER   137:139 -j ACCEPT
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN -d 192.168.0.255 137:139 -j ACCEPT
    $IPCHAINS -A input  -i eth0 -p udp -s $LAN -d $SERVER   137:139 -j ACCEPT

    #https (redirect local requests to port 8443)
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN   -d $SERVER 443 -j REDIRECT 8443
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN ! -d $LAN 443    -j ACCEPT

    #talk, ntalk
    $IPCHAINS -A input  -i eth0 -p udp -d $SERVER -s $LAN 517:518 -j ACCEPT

    #exec
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN -d $SERVER 512 -j ACCEPT

    #obere Ports im Netz sind frei
    $IPCHAINS -A input  -i eth0 -p tcp -s $LAN 1024: -d $SERVER 1024: -j ACCEPT
    $IPCHAINS -A input  -i eth0 -p udp -s $LAN 1024: -d $SERVER 1024: -j ACCEPT
  fi

  ## ippp0
  /sbin/ifconfig ippp0 > /dev/null
  if [ $? -eq 0 ]
  then
    echo "   Setting up rules for device ippp0"
    /sbin/modprobe ip_masq_ftp

    #allow all outgoing traffic over eth0
    $IPCHAINS -A output -i ippp0 -j ACCEPT

    #icmp
    $IPCHAINS -A forward -p icmp -i ippp0   -s $LAN -j MASQ
    $IPCHAINS -A input   -p icmp -i ippp0 ! -d $LAN -j ACCEPT

    #FTP
    $IPCHAINS -A forward -p tcp -i ippp0 ! -d $LAN 21 -j MASQ
    $IPCHAINS -A input   -p tcp -i ippp0 ! -d $LAN 21 -j ACCEPT ! -y
    $IPCHAINS -A forward -s $LAN 1024: --dport 21 -p tcp -i ippp0 -j MASQ
    $IPCHAINS -A input   -d $ALL 1024: --sport 21 -p tcp -i ippp0 -j ACCEPT ! -y
    $IPCHAINS -A input   -d $ALL 1024: --sport 20 -p tcp -i ippp0 -j ACCEPT
    $IPCHAINS -A forward -s $LAN 1024: --dport 20 -p tcp -i ippp0 -j MASQ   ! -y

    #unpriviligierte TCP-Ports
    $IPCHAINS -A forward -p tcp -i ippp0 ! -d $LAN 1024: -j MASQ
    $IPCHAINS -A input   -p tcp -i ippp0 ! -d $LAN 1024: -j ACCEPT ! -y

    #unpriviligierte UDP-Ports
    $IPCHAINS -A forward -p udp -i ippp0 ! -d $LAN 1024: -j MASQ
    $IPCHAINS -A input   -p udp -i ippp0 ! -d $LAN 1024: -j ACCEPT
    fi

  #abgelehnte Pakete protokollieren
  $IPCHAINS -A input   -l
  $IPCHAINS -A forward -l
  $IPCHAINS -A output  -l
  ;;
stop)
  echo -n "Shutting down firewall"
  $IPCHAINS -F
  $IPCHAINS -P input   ACCEPT
  $IPCHAINS -P forward ACCEPT
  $IPCHAINS -P output  ACCEPT
  /sbin/modprobe -r ip_masq_ftp
  ;;
restart|reload)
  $0 stop && $0 start
  ;;
status)
  $IPCHAINS -L
  ;;
*)
  echo "Usage: $0 {start|stop|restart|reload|status}"
  exit 1
esac
exit 0