# pakmans script made for a dialup router. 
# can be adapted for other usees.
#
#       This basically does NAT translation for a LAN
#       setup in 192.168.0.0/24 and has some port-forwarding
#       available.
#
#       feel free to edit/redistribute/cat >/dev/null


IPTABLES=/sbin/iptables

# Extedernal Interface
EXT_IF="eth0"

# Local Networks IP range
LAN_IP="192.168.0.0/24"

# Kernel setup
# uncomment this are for dynamic ip's only.
#echo "5"  >/proc/sys/net/ipv4/ip_dynaddr

echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
echo "1" >/proc/sys/net/ipv4/conf/all/log_martians
echo "1" >/proc/sys/net/ipv4/conf/all/rp_filter

# Block spoofed packets on wrong interface
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
  echo 1 > $i
done

$IPTABLES -F FORWARD
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT

$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT

#rate limit syn packets (tcp connections), max connect 2 per second
$IPTABLES -A OUTPUT -p tcp --syn -m limit --limit 2/s -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

#uncomment to block icmp forwarding
#$IPTABLES -A FORWARD -p icmp -s 0/0 -j DROP

#Block packets coming in on EXT_IF with spoofed eth source
$IPTABLES -A INPUT -i $EXT_IF -s $LAN_IP -d 0/0 -j DROP 

#uncomment to block sendmails message port(if you run sendmail!)
#$IPTABLES -A INPUT -p tcp --dport 587 -j DROP

#this blocks snmp(161) udp packets from the internet
#$IPTABLES -A INPUT -p udp -i $EXT_IF --dport 161 -j DROP
#this blocks syslog(514) udp packets from internet
#$IPTABLES -A INPUT -p udp -i $EXT_IF --dport 514 -j DROP

#setup forwarding/masq for LAN
#mine is 192.168.0.0/24, change this to whatever you want.
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -A POSTROUTING -d ! $LAN_IP -j MASQUERADE
$IPTABLES -A FORWARD -s $LAN_IP -j ACCEPT
$IPTABLES -A FORWARD -d $LAN_IP -j ACCEPT
$IPTABLES -A FORWARD -j DROP

#port forwarding.
#flush prerouting table
$IPTABLES -t nat -F PREROUTING

#this forwards ident connections the outside world to an internal workstation
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF --dport 113 -j DNAT --to 192.168.0.1:113

#uncomment to forward ssh to 192.168.0.2
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF --dport 22 -j DNAT --to 192.168.0.2:22

#uncomment to forward smtp to 192.168.0.2
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF --dport 25 -j DNAT --to 192.168.0.2:25

#uncomment to forward port 16699 to 192.168.0.1
# I use this for irc dcc sends along with the bitchx 
# patch to set dcc_port at www.unixhead.org/docs/bx.txt
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF --dport 16699 -j DNAT --to 192.168.0.1:16699


#drop invalid packets
$IPTABLES -A INPUT -i $EXT_IF -p TCP  -m state --state INVALID -j DROP