#!/bin/sh
#
# yaff 0.1 (c) 2001 written by pakman / modification and cleaning up by stime
#	more cleaning up by pakman when he noticed this on his site :)
#############################################################################
#
# script with stateful bits to do nat
#
###############################################################################
#
# config stuff you need to edit these!
#
INTERFACE="eth0"     # set this to your external (internet) interface
DENYMETHOD="DROP"    # set this to your prefered deny method (DROP/DENY/REJECT)
SYNFLUD="3"          # synflood protection max. x connects per second (keep +1)
MASQ="192.168.1.0/8" # define your ranges to apply masquarding on (aka nat)
IPTABLES=/sbin/iptables
#
##############################################################################

##############################################################################
#
# firewall script itself, only edit if you know what you doing.
#
################################################################################
#
# flush tables
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -F -t nat

# create dump table
#
$IPTABLES -N DUMP > /dev/null
$IPTABLES -F DUMP
$IPTABLES -A DUMP -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A DUMP -p udp -j DROP
$IPTABLES -A DUMP -j DROP

# stateful table
#
$IPTABLES -N STATEFUL > /dev/null
$IPTABLES -F STATEFUL
$IPTABLES -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A STATEFUL -m state --state NEW -i ! $INTERFACE -j ACCEPT
$IPTABLES -A STATEFUL -j DUMP
$IPTABLES -F FORWARD
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT

# loopback rules
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# synflood protection
#
$IPTABLES -A OUTPUT -p tcp --syn -m limit --limit $SYNFLUD/s -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -m limit --limit $SYNFLUD/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit $SYNFLUD/s -j ACCEPT

# icmp block
#
$IPTABLES -A FORWARD -i $INTERFACE -p icmp -s 0/0 -j $DENYMETHOD
$IPTABLES -A INPUT -i $INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT

# block alien lans on the external interface
#
$IPTABLES -A INPUT -i $INTERFACE -s 0.0.0.0/7 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 1.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 2.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 5.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 10.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 23.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 27.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 31.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 67.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 68.0.0.0/6 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 72.0.0.0/5 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 80.0.0.0/4 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 96.0.0.0/3 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 127.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 128.0.0.0/16 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 128.66.0.0/16 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 169.254.0.0/16 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 172.16.0.0/12 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 191.255.0.0/16 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 192.0.0.0/16 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 192.168.0.0/16 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 197.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 201.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 204.152.64.0/23 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 224.0.0.0/3 -j DUMP
$IPTABLES -A INPUT -i $INTERFACE -s 240.0.0.0/8 -j DUMP

# block sendmail message port
#
$IPTABLES -A INPUT -p tcp --dport 587 -j $DENYMETHOD

# initialize masq/nat
#
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -A POSTROUTING -d ! $MASQ -j MASQUERADE
$IPTABLES -A FORWARD -s $MASQ -j ACCEPT
$IPTABLES -A FORWARD -d $MASQ -j ACCEPT
$IPTABLES -A FORWARD -j $DENYMETHOD

#port forwarding
#$IPTABLES -t nat -F PREROUTING
#napster
#$IPTABLES -t nat -A PREROUTING -p tcp -d $INTERFACE --dport 6699 -j DNAT --to 192.168.0.1:6699
#smtp
#$IPTABLES -t nat -A PREROUTING -p tcp -d $INTERFACE --dport 25 -j DNAT --to 192.168.0.2:25
#auth
#$IPTABLES -t nat -A PREROUTING -p tcp -d $INTERFACE --dport 113 -j DNAT --to 192.168.0.1:113 
#camarades
#$IPTABLES -t nat -A PREROUTING -p tcp -d $INTERFACE --dport 2049 -j DNAT --to 192.168.0.5

# setup kernel options (ping block, broadcast block and synflood protection)
#
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# block spoofed packets on wrong interface
#
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
 for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
 echo 1 > $i
 done
fi

# drop  invalid packets
$IPTABLES -A INPUT -i $INTERFACE -p TCP  -m state --state INVALID -j $DENYMETHOD
 
#uncomment to give this ip full access to our services
#$IPTABLES -A INPUT -p tcp -s 212.202.233.181 -j ACCEPT

# uncomment to open ports
#
#$IPTABLES -A INPUT -p tcp -i $INTERFACE --dport 113 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -i $INTERFACE --dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -i $INTERFACE --dport 443 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -i $INTERFACE --dport 80 -j ACCEPT


# all other packets goto /dev/null
#
$IPTABLES -A INPUT -i $INTERFACE -j STATEFUL