#!/bin/sh 
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_ipt v1.0.12-20031102cvs 
#
#  Generated Fri Nov  7 22:33:10 2003 PST by vadim
#
#
#  
#
#
#

log() {
  test -x "$LOGGER" && $LOGGER -p info "$1"
}

va_num=1
add_addr() {
  addr=$1
  nm=$2
  dev=$3

  type=""
  aadd=""

  L=`$IP -4 link ls $dev | grep "$dev:"`
  if test -n "$L"; then
    OIFS=$IFS
    IFS=" /:,<"
    set $L
    type=$4
    IFS=$OIFS

    L=`$IP -4 addr ls $dev to $addr | grep " inet "`
    if test -n "$L"; then
      OIFS=$IFS
      IFS=" /"
      set $L
      aadd=$2
      IFS=$OIFS
    fi
  fi
  if test -z "$aadd"; then
    if test "$type" = "POINTOPOINT"; then
      $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
      va_num=`expr $va_num + 1`
    fi
    if test "$type" = "BROADCAST"; then
      $IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
      va_num=`expr $va_num + 1`
    fi
  fi
}
getaddr() {
  dev=$1
  name=$2
  L=`$IP -4 addr show dev $dev | grep inet`
  test -z "$L" && { 
    eval "$name=''"
    return
  }
  OIFS=$IFS
  IFS=" /"
  set $L
  eval "$name=$2"
  IFS=$OIFS
}


getinterfaces() {
  NAME=$1
  $IP link show | grep -E "$NAME[^ ]*: "| while read L; do
    OIFS=$IFS
    IFS=" :"
    set $L
    IFS=$OIFS
    echo $2
  done
}


LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"



INTERFACES="eth1 eth0 lo "
for i in $INTERFACES ; do
  $IP link show "$i" > /dev/null 2>&1 || {
    echo Interface $i does not exist
    exit 1
  }
done

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl

$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"
$IP -4 neigh flush dev eth0
$IP -4 addr flush dev eth0 label "eth0:FWB*"




$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP



cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done



MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" 
MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  *_nat_* | sed 's/\.o.*$//')`
for module in $(echo $MODULES); do 
  if $LSMOD | grep ${module} >/dev/null; then continue; fi
  if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then 
    $MODPROBE ${module} ||  exit 1 
  fi 
done



log "Activating firewall script generated Fri Nov  7 22:33:10 2003 PST by vadim"

#
#  Rule 0(NAT)
# 
# 
$IPTABLES -t nat -A POSTROUTING -o eth1  -s 10.1.1.0/24 -j SNAT --to-source 192.0.2.1 
#
#


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 
# Rule 0(eth1)
# 
# Anti-spoofing rule
# 
$IPTABLES -N eth1_In_RULE_0
$IPTABLES -A INPUT  -i eth1  -s 192.0.2.1  -j eth1_In_RULE_0 
$IPTABLES -A INPUT  -i eth1  -s 10.1.1.1  -j eth1_In_RULE_0 
$IPTABLES -A INPUT  -i eth1  -s 10.1.1.0/24  -j eth1_In_RULE_0 
$IPTABLES -A FORWARD  -i eth1  -s 192.0.2.1  -j eth1_In_RULE_0 
$IPTABLES -A FORWARD  -i eth1  -s 10.1.1.1  -j eth1_In_RULE_0 
$IPTABLES -A FORWARD  -i eth1  -s 10.1.1.0/24  -j eth1_In_RULE_0 
$IPTABLES -A eth1_In_RULE_0   -j LOG  --log-level info --log-prefix "RULE 0 -- DENY " 
$IPTABLES -A eth1_In_RULE_0   -j DROP 
# 
# Rule 0(lo)
# 
# allow everything on loopback
# 
$IPTABLES -A INPUT  -i lo  -j ACCEPT 
$IPTABLES -A OUTPUT  -o lo  -j ACCEPT 
# 
# Rule 0(global)
# 
# ssh access to firewall
# 
$IPTABLES -A INPUT -p tcp  -s 10.1.1.0/24  -d 192.0.2.1  --destination-port 22  -m state --state NEW  -j ACCEPT 
$IPTABLES -A INPUT -p tcp  -s 10.1.1.0/24  -d 10.1.1.1  --destination-port 22  -m state --state NEW  -j ACCEPT 
# 
# Rule 1(global)
# 
# firewall uses DNS server on LAN
# 
$IPTABLES -A OUTPUT -p tcp  -s 192.0.2.1  -d 10.1.1.0/24  --destination-port 53  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp  -s 10.1.1.1  -d 10.1.1.0/24  --destination-port 53  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT -p udp  -s 192.0.2.1  -d 10.1.1.0/24  --destination-port 53  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT -p udp  -s 10.1.1.1  -d 10.1.1.0/24  --destination-port 53  -m state --state NEW  -j ACCEPT 
# 
# Rule 2(global)
# 
# 'masquerading' rule
# 
$IPTABLES -A INPUT  -s 10.1.1.0/24  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT  -s 10.1.1.0/24  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 10.1.1.0/24  -m state --state NEW  -j ACCEPT 
# 
# Rule 3(global)
# 
# 'catch all' rule
# 
$IPTABLES -N RULE_3
$IPTABLES -A OUTPUT  -j RULE_3 
$IPTABLES -A INPUT  -j RULE_3 
$IPTABLES -A FORWARD  -j RULE_3 
$IPTABLES -A RULE_3  -j LOG  --log-level info --log-prefix "RULE 3 -- DENY " 
$IPTABLES -A RULE_3  -j DROP 
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward