#!/bin/sh 
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_ipt v1.0.5 
#
#  Generated Wed Sep 18 12:23:59 2002 CEST by kern
#
#  Last updated by hand 31 Oct 2002 by Kern
#
#
check() {
  if test ! -x "$1"; then
    echo "$1 not found or is not executable"
    exit 1
  fi
}

log() {
  if test -x "$LOGGER"; then
    logger -p info "$1"
  fi
}

IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"

check $IPTABLES
check $IP

cd /etc || exit 1

log "Activating firewall script generated Wed Sep 18 12:23:59 2002 CEST by kern"



FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl


$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP



cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done


#
#  Rule 0(NAT)
# 
# NAT for internal network
$IPTABLES -t nat -A POSTROUTING -o eth0  -s 192.168.0.0/24 -j SNAT --to-source 200.200.200.200 
#
#


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 
# Rule 0(eth0)
# 
# Block invalid ICMP packets
# 
$IPTABLES -A INPUT -i eth0 -m state -p icmp --state INVALID -j DROP 
$IPTABLES -A FORWARD -i eth0 -m state -p icmp --state INVALID -j DROP 
$IPTABLES -A OUTPUT -o eth0 -m state -p icmp --state INVALID -j DROP 
$IPTABLES -A FORWARD -o eth0 -m state -p icmp --state INVALID -j DROP 
# 
# Rule 1(eth0)
# 
# Block NEW without SYN
# 
$IPTABLES -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP 
# 
# Rule 2(eth0)
# 
# Anti-spoofing rule
# 
$IPTABLES -A INPUT -i eth0  -s 200.200.200.200 -j DROP 
$IPTABLES -A INPUT -i eth0  -s 192.168.0.0/24 -j DROP 
$IPTABLES -A INPUT -i eth0  -s 127.0.0.0/8 -j DROP 
# 
# Rule 3(eth0)
# 
# Blocked sites (modified to include firewall.blocked)
# 
if [ -f /etc/rc.d/firewall.blocked ]; then
   . /etc/rc.d/firewall.blocked
fi
# 
# Rule 4(eth0)
# 
# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
# 
$IPTABLES -A INPUT -i eth0 -p ip -f  -j DROP 
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP 
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
# 
# Rule 5(eth0)
# 
# Authorized external services
# 
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 11/1  -m state --state NEW -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 11/0  -m state --state NEW -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 0/0  -m state --state NEW -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 8/0  -m state --state NEW -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 3 -m state --state NEW -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -p tcp -m multiport --destination-port 53,80,22,25 -m state --state NEW -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -p udp --destination-port 53 -m state --state NEW -j ACCEPT 
# 
# Rule 0(lo)
# 
# Allow all on loopback
# 
$IPTABLES -A INPUT -i lo  -s 200.200.200.200 -j ACCEPT 
$IPTABLES -A INPUT -i lo  -s 127.0.0.1 -j ACCEPT 
$IPTABLES -A OUTPUT -o lo  -d 200.200.200.200 -j ACCEPT 
$IPTABLES -A OUTPUT -o lo  -d 127.0.0.1 -j ACCEPT 
# 
# Rule 0(global)
# 
# Allow all outgoing connections
# 
$IPTABLES -A INPUT  -s 200.200.200.200 -m state --state NEW -j ACCEPT 
$IPTABLES -A INPUT  -s 192.168.0.0/24 -m state --state NEW -j ACCEPT 
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.0.0/24 -m state --state NEW -j ACCEPT 
# 
# Rule 1(global)
# 
# Send TCP RST to auth to speed up sendmail
# 
$IPTABLES -A OUTPUT -p tcp  -d 200.200.200.200 --destination-port 113 -j REJECT --reject-with tcp-reset 
$IPTABLES -A INPUT -p tcp --destination-port 113 -j REJECT --reject-with tcp-reset 
# 
# Rule 2(global)
# 
# 
# 
$IPTABLES -A OUTPUT -j DROP 
$IPTABLES -A INPUT -j DROP 
$IPTABLES -A FORWARD -j DROP 
#
#
echo "$FWD" > /proc/sys/net/ipv4/ip_forward