#!/bin/sh
#
# This script is based in part on a script generated by Robert L. Ziegler's
# IPFW firewall design tool at:
#
#       http://rlz.ne.mediaone.net/linux/firewall/
#
# and also on the stuff in the ipchains-HOWTO.


echo -n "Initializing firewall..."

PATH=/sbin:/usr/sbin


# ----------------------------------------------------------------------
# Set up some definitions for easy maintenance.

ANY_HOST="0.0.0.0/0"
ANY_PORT="0"
LOOPBACK_INTERFACE="lo"
PPP_INTERFACE="ppp0"
LAN_INTERFACE="eth0"
LOCAL_NET="172.16.0.0/16"

NAMESERVER_1="204.134.75.2"
NAMESERVER_2="204.134.75.6"

LOOPBACK="127.0.0.0/8"
PRIVATE_CLASS_A="10.0.0.0/8"
PRIVATE_CLASS_B="172.16.0.0/12"
PRIVATE_CLASS_C="192.168.0.0/16"
MULTICAST="240.0.0.0/3"
BROADCAST_0="0.0.0.0"
BROADCAST_1="255.255.255.255"
BROADCAST_LOCAL="172.16.255.255"

PRIV_PORTS="0:1023"
UNPRIV_PORTS="1024:65535"

HTTPS_PORT="443"
SSH_PORTS="1000:1023"       # subset -- can go as far down as 513
SOCKS_PORT="1080"
NFS_PORT="2049"
XWINDOWS_PORTS="5999:6010"


# ----------------------------------------------------------------------------
# Set up basics

    # Flush all existing rules.
    ipchains -F

    # Set default input and forward policies to deny -- do this quickly
    # so we're not vulnerable while the firewall is being set up.
    ipchains -P input DENY
    ipchains -P forward DENY

    # Nuke preexisting PPP I/O chains, if they exist
    ipchains -X ppp-in > /dev/null 2>&1
    ipchains -X ppp-out > /dev/null 2>&1

    # Set up the PPP I/O chains
    ipchains -N ppp-in
    ipchains -A input -i $PPP_INTERFACE -j ppp-in
    ipchains -N ppp-out
    ipchains -A output -i $PPP_INTERFACE -j ppp-out


# ----------------------------------------------------------------------------
# Deny access to jerks

    # Place entries below like the following, to block problem sites.
    # ipchains -A ppp-in -s 1.2.3.4 -j DENY


# ----------------------------------------------------------------------------
# Give trusted hosts extra access.  I don't have to mention that this is a
# potential security hole, do I?  Good, I'm glad we understand each other.

    # Place entries below like the following, to allow access
    # from trusted sites.
    # ipchains -A input -s 5.6.7.8 -d $ANY_HOST 1234:5678 -j ACCEPT


# ----------------------------------------------------------------------------
# Lock out packets with malformed, spoofed or dangerous addresses.

    # Log spoofing attempts and drop the packets.
    ipchains -A ppp-in -s $LOCAL_NET -l -j DENY
    
    # Refuse packets claiming to be to or from a Class A private network
    ipchains -A ppp-in -s $PRIVATE_CLASS_A -j DENY
    ipchains -A ppp-in -d $PRIVATE_CLASS_A -j DENY
    ipchains -A ppp-out -s $PRIVATE_CLASS_A -j REJECT
    ipchains -A ppp-out -d $PRIVATE_CLASS_A -j REJECT

    # Refuse packets claiming to be to or from a Class B private network
    ipchains -A ppp-in -s $PRIVATE_CLASS_B -j DENY
    ipchains -A ppp-in -d $PRIVATE_CLASS_B -j DENY
    ipchains -A ppp-out -s $PRIVATE_CLASS_B -j REJECT
    ipchains -A ppp-out -d $PRIVATE_CLASS_B -j REJECT

    # Refuse packets claiming to be to or from a Class C private network
    ipchains -A ppp-in -s $PRIVATE_CLASS_C -j DENY
    ipchains -A ppp-in -d $PRIVATE_CLASS_C -j DENY
    ipchains -A ppp-out -s $PRIVATE_CLASS_C -j REJECT
    ipchains -A ppp-out -d $PRIVATE_CLASS_C -j REJECT

    # Refuse packets claiming to be to or from the loopback interface
    ipchains -A ppp-in -s $LOOPBACK -j DENY
    ipchains -A ppp-in -d $LOOPBACK -j DENY
    ipchains -A ppp-out -s $LOOPBACK -j REJECT
    ipchains -A ppp-out -d $LOOPBACK -j REJECT

    # Refuse packets to or from a broadcast address
    ipchains -A ppp-in -s $BROADCAST_1 -j DENY
    ipchains -A ppp-in -s $BROADCAST_0 -j DENY
    ipchains -A ppp-in -d $BROADCAST_1 -j DENY
    ipchains -A ppp-in -d $BROADCAST_0 -j DENY
    ipchains -A ppp-in -d $BROADCAST_LOCAL -j DENY

    # Refuse multicast packets -- log packets that match.
    ipchains -A ppp-in -s $MULTICAST -l -j DENY


# ----------------------------------------------------------------------------
# ICMP -- allow safe ICMP packets in.

    ipchains -A ppp-in -p ICMP -s $ANY_HOST echo-reply -j ACCEPT
    ipchains -A ppp-in -p ICMP -s $ANY_HOST destination-unreachable -j ACCEPT
    ipchains -A ppp-in -p ICMP -s $ANY_HOST source-quench -j ACCEPT
    ipchains -A ppp-in -p ICMP -s $ANY_HOST time-exceeded -j ACCEPT
    ipchains -A ppp-in -p ICMP -s $ANY_HOST parameter-problem -j ACCEPT


# ----------------------------------------------------------------------------
# Allow unlimited traffic on the loopback interface.

    ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT


# ----------------------------------------------------------------------------
# Allow input traffic on the unpriviledged ports, if it's just replies
# to connections we've previously established.

    ipchains -A input -p TCP ! -y -d $ANY_HOST $UNPRIV_PORTS -j ACCEPT
    ipchains -A input -p UDP -d $ANY_HOST $UNPRIV_PORTS -j ACCEPT


# ----------------------------------------------------------------------------
# Explicitly reject packets to the ident/auth server.  If we just deny
# incoming auth requests, some IRC servers and such will hang forever trying
# in vain to authenticate us.

    ipchains -A ppp-in -p TCP -d $ANY_HOST auth -j REJECT

    
# ----------------------------------------------------------------------------
# Allow replies from DNS servers, no matter which port it comes in on.

    ipchains -A ppp-in -p UDP -s $NAMESERVER_1 domain -j ACCEPT


# ----------------------------------------------------------------------------
# Accept inbound TCP connections to "safe" privileged ports.

    # HTTP and HTTPS
    ipchains -A ppp-in -p TCP -d $ANY_HOST http -j ACCEPT
    ipchains -A ppp-in -p TCP -d $ANY_HOST $HTTPS_PORT -j ACCEPT

    # Allow FTP servers to connect to us for FTP data transfer.  This
    # is only required for normal FTP, not for "passive" FTP.
    ipchains -A ppp-in -p TCP -s $ANY_HOST ftp-data \
            -d $ANY_HOST $UNPRIV_PORTS -j ACCEPT


# ----------------------------------------------------------------------------
# Allow unlimited traffic from our LAN peers.

    ipchains -A input -i $LAN_INTERFACE -s $LOCAL_NET -j ACCEPT


# ----------------------------------------------------------------------------
# Masquerade internal traffic.

    # Make sure IP forwarding is turned on
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # For all traffic to be forwarded, masquerade it
    ipchains -A forward -s $LOCAL_NET -j MASQ
                            
    # Set timeouts: TCP inactivity, time to keep conn around after a
    # FIN, and UDP inactivity.  (Time in seconds.)
    ipchains -M -S 1800 30 300


# ----------------------------------------------------------------------------
# Mess with the TOS bits for efficiency.

    # Set HTTP, telnet and FTP-control to minimum delay
    ipchains -A output -p tcp -d $ANY_HOST http -t 0x01 0x10
    ipchains -A output -p tcp -d $ANY_HOST telnet -t 0x01 0x10
    ipchains -A output -p tcp -d $ANY_HOST ftp -t 0x01 0x10

    # Set FTP-data and NNTP for maximum throughput
    ipchains -A output -p tcp -d $ANY_HOST ftp-data -t 0x01 0x08
    ipchains -A output -p tcp -d $ANY_HOST nntp -t 0x01 0x08


# ----------------------------------------------------------------------------
# Log all "priviledged" TCP/UDP packets that we didn't ACCEPT above.  Ditto
# for all the ICMP packets we didn't ACCEPT.

    ipchains -A ppp-in -p TCP -y -d $ANY_HOST $PRIV_PORTS -l -j DENY
    ipchains -A ppp-in -p UDP -d $ANY_HOST $PRIV_PORTS -l -j DENY
    ipchains -A ppp-in -p ICMP -d $ANY_HOST -l -j DENY


# ----------------------------------------------------------------------------


# Tell user we're done.  Don't get rid of the exclamation point --
# it's actually a debugging aid that alerts us if the shell is
# expanding exclamation points.  If it does, the "! -y" rules above
# will break.
echo done!