#!/bin/bash
INTERNAL_NET="192.168.2.0/24"
INTERNAL_INT="eth0"
EXTERNAL_INT="eth1"
ANYWHERE="0.0.0.0/0"
FWVER="HTC-jeremy_anderson-2.0"
IPTABLES=/sbin/iptables
IFCONFIG=/sbin/ifconfig
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
EXTERNAL_IP="`$IFCONFIG $EXTERNAL_INT | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e 's/.*://'`"
INTERNAL_IP="`$IFCONFIG $INTERNAL_INT | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e 's/.*://'`"

echo 1 > /proc/sys/net/ipv4/ip_forward

	echo "loading IPTABLES rules\n"
	echo "   External Interface:  $EXTERNAL_INT"
	echo "   Internal Interface:  $INTERNAL_INT"
	echo "   enabling DynamicAddr.."
	echo "1" > /proc/sys/net/ipv4/ip_dynaddr
	echo "   clearing any existing rules and setting default policy.."
	echo "1" > /proc/sys/net/ipv4/ip_always_defrag

	echo "  Clearing any existing rules and setting default policy to DROP.."
 	$IPTABLES -P INPUT DROP  
  	$IPTABLES -F INPUT 
  	$IPTABLES -P OUTPUT DROP  
  	$IPTABLES -F OUTPUT 
  	$IPTABLES -P FORWARD DROP  
  	$IPTABLES -F FORWARD 
  	$IPTABLES -F -t nat


	if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
		$IPTABLES -F drop-and-log-it
	fi

	# Delete all User-specified chains
	$IPTABLES -X
	#
	# Reset all IPTABLES counters
	$IPTABLES -Z

	echo "  Creating a DROP chain.."
	$IPTABLES -N drop-and-log-it
	#$IPTABLES -A drop-and-log-it -j LOG --log-level warn 
	$IPTABLES -A drop-and-log-it -j DROP

	echo -e "\n   - Loading INPUT rulesets"

	# loopback interfaces are valid.
	#
	$IPTABLES -A INPUT -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT

	# local interface, local machines, going ANYWHERE is valid
	#
	$IPTABLES -A INPUT -i $INTERNAL_INT -s $INTERNAL_NET -d $ANYWHERE -j ACCEPT

	# remote interface, claiming to be local machines, IP spoofing, get lost
	#
	$IPTABLES -A INPUT -i $EXTERNAL_INT -s $INTERNAL_NET -d $ANYWHERE -j drop-and-log-it


	# Allow any related traffic coming back to the MASQ server in
	#
	$IPTABLES -A INPUT -i $EXTERNAL_INT -s $ANYWHERE -d $EXTERNAL_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

	# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
	# As of 4/15/2004 this machine was NOT functioning as the DHCP server 
	# for the networking rooms.
 	#
  	#$IPTABLES -A INPUT -i $INTERNAL_INT -p tcp --sport 68 --dport 67 -j ACCEPT
  	#$IPTABLES -A INPUT -i $INTERNAL_INT -p udp --sport 68 --dport 67 -j ACCEPT

	# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
	# Which we do.  We listen on port 443 and on 80.  port 22 is for SSH
	#
	for port in 22 80 443 ; do
		echo -e "      - Allowing EXTERNAL access to port $port \n"
		$IPTABLES -A INPUT -i $EXTERNAL_INT -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $ANYWHERE -d $EXTERNAL_IP --dport $port -j ACCEPT
	done

	# Catch all rule, all other incoming is denied silently
	# before: and logged. 
	# please note that 'and logged' is not true anymore, because it
	# had a tendency to fill up the logfiles.  If you're curious
	# about what's going on, fire up snort.
	#

	#echo "setting rule to silently ignore all unknown probes"
	$IPTABLES -A INPUT -s $ANYWHERE -d $ANYWHERE -j drop-and-log-it

	echo -e "   - Loading OUTPUT rulesets"
	# loopback interface is valid.
	$IPTABLES -A OUTPUT -o lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT

	# local interfaces, any source going to local net is valid
	$IPTABLES -A OUTPUT -o $INTERNAL_INT -s $EXTERNAL_IP -d $INTERNAL_NET -j ACCEPT

	# local interface, any source going to local net is valid 
	$IPTABLES -A OUTPUT -o $INTERNAL_INT -s $INTERNAL_IP -d $INTERNAL_NET -j ACCEPT

	         
	# outgoing to local net on remote interface, stuffed routing, deny
	$IPTABLES -A OUTPUT -o $EXTERNAL_INT -s $ANYWHERE -d $INTERNAL_NET -j drop-and-log-it

	# anything else outgoing on remote interface is valid
	$IPTABLES -A OUTPUT -o $EXTERNAL_INT -s $EXTERNAL_IP -d $ANYWHERE -j ACCEPT

	# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
	# again, wednesday.hennepintech.edu does NOT run a DHCP server
  	#$IPTABLES -A OUTPUT -o $INTERNAL_INT -p tcp -s $INTERNAL_IP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
  	#$IPTABLES -A OUTPUT -o $INTERNAL_INT -p udp -s $INTERNAL_IP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT

	
   	# Catch all rule, all other outgoing is denied and logged. 
	$IPTABLES -A OUTPUT -s $ANYWHERE -d $ANYWHERE -j drop-and-log-it

	echo -e "   - Loading FORWARD rulesets"

	#####################################################################
	# FORWARD: Enable Forwarding and thus IPMASQ
	#

	echo "     - FWD: Allow all connections OUT and only existing/related IN"
	$IPTABLES -A FORWARD -i $EXTERNAL_INT -o $INTERNAL_INT -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPTABLES -A FORWARD -i $INTERNAL_INT -o $EXTERNAL_INT -j ACCEPT

	# Catch all rule, all other forwarding is denied and logged. 
	$IPTABLES -A FORWARD -j drop-and-log-it

	echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTERNAL_INT"
	
	#Stricter form
	$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INT -j SNAT --to $EXTERNAL_IP

	#This is a rather enthusiastic, sloppy and overlapping way of deactivating AOL instant messenger in the two networking rooms.  I like it a lot.  Basically, we dump all traffic headed towards the login servers, thus preventing AIM from working.
	#64.12.28.211 64.12.161.185 are AIM login servers
	#64.12.200.89
	for AIM_login_server in 64.12.28.211 64.12.25.154 64.12.25.141 64.12.25.142 64.12.25.143 64.12.25.144 64.12.25.145 64.12.25.146 64.12.25.147 64.12.25.148 64.12.25.149 64.12.25.150 64.12.25.151 64.12.25.152 64.12.25.153 64.12.25.154 64.12.25.155 64.12.24.98 64.12.161.185 64.12.200.89; do
		echo "bit-bucketing $AIM_login_server\n";
		$IPTABLES -I FORWARD -i $INTERNAL_INT -s $ANYWHERE -d $AIM_login_server -j DROP
	done

	#blocking these nasty old ports
	#port 4636 is opaserv.
	#21 is ftp
	#137, 138, 139 are used with samba/SMB
	#port 1433, 1434 is MS SQL server
	for port in 21 109 111 135 136 137 138 139 143 857 587 901 869 918 1024 1025 1029 1080 1433 1434 2002 2049 3128 4636 5813 6112 12345 27374 33087 ; do
		for protocol in tcp udp; do
			$IPTABLES -I INPUT -i $EXTERNAL_INT -s $ANYWHERE -d $ANYWHERE --protocol $protocol --destination-port $port -j DROP
		done
	done

	#now, make sure traffic on these ports doesn't LEAVE us
	#we don't want this machine being used as a launching point
	#for some student with a grudge
	for port in 109 111 135 136 137 138 139 143 427 857 587 901 869 918 1024 1025 1029 1080 1433 1434 2002 2049; do
		for protocol in tcp udp; do
			$IPTABLES -I FORWARD -i $INTERNAL_INT -s $ANYWHERE -d $ANYWHERE --protocol $protocol --destination-port $port -j DROP
		done
	done

	#dump ALL ICMP packets bound for the outside world.
	#we want to respond to pings on our own network, but we don't want
	#anyone in the networking rooms to flood MNSCU's network with a bunch
	# of pings.
	for chain in FORWARD ; do
		$IPTABLES -I $chain -i $INTERNAL_INT -s $ANYWHERE -d $ANYWHERE --protocol ICMP -j DROP
		$IPTABLES -I $chain -i $EXTERNAL_INT -s $ANYWHERE -d $ANYWHERE --protocol ICMP -j DROP
	done

	echo -e "\nrc.firewall-2.4 v$FWVER done.\n"