# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
export LC_ALL="en"
# External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth0
INTIF2=eth1
# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
# Last but not least, the users
JAMES=192.168.10.87
TERESA=192.168.10.88
# Deny then accept: this keeps holes from opening up
# while we close ports and such
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
 $IPT -t $i -F
done
for i in $CHAINS;
do
 $IPT -t $i -X
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
 echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
 echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
 echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will serve the same purpose
# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
#Setting up environment variables for internal interface two
INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET2="$INTIP2/$INTMSK2"
echo "INTIP2=$INTIP2 INTBC2=$INTBC2 INTMSK2=$INTMSK2 INTNET2=$INTNET2"
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT   -i $LPDIF -s   $LPDIP   -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP   -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP2  -j ACCEPT
# Blocking Broadcasts
#$IPT -A INPUT   -i $EXTIF  -d   $EXTBC   -j DROPl
#$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl
#$IPT -A INPUT   -i $INTIF2 -d   $INTBC2  -j DROPl
#$IPT -A OUTPUT  -o $EXTIF  -d   $EXTBC   -j DROPl
#$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl
#$IPT -A OUTPUT  -o $INTIF2 -d   $INTBC2  -j DROPl
#$IPT -A FORWARD -o $EXTIF  -d   $EXTBC   -j DROPl
#$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl
#$IPT -A FORWARD -o $INTIF2 -d   $INTBC2  -j DROPl
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl
# Now we will block internal addresses originating from anything but our
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need 
# to ensure that they either have the same ip or that you add a line explicitly
# for that IP as well                                                                               
# Interface one/internal net one
$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
# Interface two/internal net two
$IPT -A INPUT   -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A OUTPUT  -o $INTIF2 -d ! $INTNET2 -j DROPl
$IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
$IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl
# An additional Egress check
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
# Block outbound ICMP (except for PING)
$IPT -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
#########################################
# TATT VEKK PORT 6346, 137:139 og 445!!!#
#########################################
COMBLOCK="0:1 13 98 111 161:162 1214 1999 2049 3049 4329 3128 6346 8000 8008 8080 12345 65535"
# TCP ports:
# 98 is Linuxconf
# 512-515 is rexec, rlogin, rsh, printer(lpd)
#   [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)

echo -n "FW: Blocking attacks to TCP port "
for i in $TCPBLOCK;
do
  echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
  echo -n "$i "
  $IPT -A INPUT   -p udp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
  $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""
# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
 echo "Inserting module $i"
 modprobe $i
done
# Defining some common chat clients. Remove these from your accepted list for better security.
# ICQ and AOL are 5190
# MSN is 1863
# Y! is 5050
# Jabber is 5222
# Y! and Jabber ports not added by author and therefore left out of the script
IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
# We have to sync!!
CS_TCP="27020:27039"
CS_UDP="27000:27015"
WOW_TCP="3724"
PORTAGE='rsync'
BNC="31337"
OpenPGP_HTTP_Keyserver="11371"
MPD="6600"
#TORRENT="6346"
SMB="445"
SMB2="137:139"
DCC="40000"
CVS="2401"
TORRENT="6881:6999 49152:49160"
TORRENT_DES="10000"
ARMYOPS_UDP="1716:1718 8777"
ARMYOPS_TCP="27900 14200 20045"
# All services ports are read from /etc/services
TCPSERV="$CVS $DCC domain ssh http $SMB $SMB2 https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $MSN $OpenPGP_HTTP_Keyserver www $CS_TCP $WOW_TCP ntp $BNC $MPD $TORRENT $ARMYOPS_TCP $GAMESPY_TCP"
UDPSERV="$CVS domain time $SMB $SMB2 $CS_UDP ntp $BNC $MPD $TORRENT $DCC $TORRENT_DES $ARMYOPS_UDP $GAMESPY_UDP"
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
  echo -n "$i "
  $IPT -A OUTPUT  -o $EXTIF  -p tcp -s $EXTIP   --dport $i --syn -m state --state NEW -j ACCEPT
  $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT
  $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
  echo -n "$i "
  $IPT -A OUTPUT  -o $EXTIF  -p udp -s $EXTIP   --dport $i -m state --state NEW -j ACCEPT
  $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state --state NEW -j ACCEPT
  $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 --dport $i -m state --state NEW -j ACCEPT
done
echo ""
# Allow to ping out
$IPT -A OUTPUT  -o $EXTIF  -p icmp -s $EXTIP   --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow firewall to ping internal systems
$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT  -o $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT   -i $INTIF2 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPT -t nat -A PREROUTING  -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#CUSTOM
$IPT -A FORWARD -p tcp --dport 6600 -j ACCEPT
#$IPT -t nat -A PREROUTING 
#$IPT -A INPUT -i $INTIF2 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 20:22 -j ACCEPT
$IPT -A INPUT -p udp --dport 20:22 -j ACCEPT
#$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
#$IPT -A INPUT -p udp --dport 443 -j ACCEPT
#$IPT -A INPUT -p udp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $INTIF2 -p udp --dport 20:22 -j ACCEPT
#$IPT -t nat -A PREROUTING -p udp --dport 31337 -j DNAT --to 192.168.10.1:31337
#$IPT -t nat -A PREROUTING -p tcp --dport 31337 -j DNAT --to 192.168.10.1:31337
$IPT -A INPUT -p tcp -i $EXTIF --dport 31337 -j ACCEPT
$IPT -A INPUT -p udp -i $EXTIF --dport 31337 -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p tcp --dport $SMB2 -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p udp --dport $SMB2 -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p tcp --dport $SMB -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p udp --dport $SMB -j ACCEPT

#$IPT -A INPUT -i $INTIF2 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
#$IPT -A INPUT -i $INTIF2 -p udp --dport 22 --syn -m state --state NEW -j ACCEPT
##$IPT -A INPUT -i $EXTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
#$IPT -A INPUT -i $EXTIF -p udp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p udp --dport 80 -j ACCEPT
$IPT -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $EXTIF -p udp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p tcp --dport 445 -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p udp --dport 445 -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p tcp --dport 137:139 -j ACCEPT
$IPT -A INPUT -i $INTIF2 -p udp --dport 137:139 -j ACCEPT

##$IPT -A INPUT -i
## Block and log what me may have forgot
$IPT -A INPUT   -j DROPl
$IPT -A OUTPUT  -j REJECTl
$IPT -A FORWARD -j DROPl