#!/bin/sh

#Tim's firewalling script with iptables
#Assumes a 10/8 LAN on eth0 and dialup IP on ppp0

#Be secure, ish
PATH=/sbin:$PATH; export PATH

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat

hostname=`hostname`
any="0.0.0.0/0.0.0.0"

#Flush things
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

## Create new chains here
# combinine INPUT and FORWARD chains
iptables -N block
# chain to drop & log packets
iptables -N DLOG

# anti-spoofing rule
iptables -A block -m state --state INVALID -j DLOG

#Continuations
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT

#Loopback is a bit weird
iptables -A block -i lo -j ACCEPT

#Allow LAN on eth0 in entirety
iptables -A block -s 10.0.0.0/16 -i eth0 -j ACCEPT

#Open ports - add as many lines for public provided services as required
iptables -A block -p tcp --destination-port 22 -j ACCEPT

#identd
iptables -A block -p tcp --destination-port 113 -j REJECT \
         --reject-with tcp-reset

#Catch-all
iptables -A block -j DLOG

#The DLOG (drop+log) chain
iptables -A DLOG -j LOG --log-prefix="catch-all " --log-tcp-options \
         --log-ip-options 
iptables -A DLOG -j DROP

## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

# ## set up masquerading as well
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# 
# ## Turn on IP forwarding
# echo 1 > /proc/sys/net/ipv4/ip_forward