#!/bin/bash
echo "------------------------------------------------" 
echo "----------- IPTables Start Rules ---------------"
echo "------------------------------------------------"

echo "\nrc.firewall-2.4 v$FWVER start.\n"
FWVER=0.75
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

##################
### NET SERVER ###
##################
#TBT
ExTBT="ppp1"
#DOM
ExDOM="ppp0"
#TTK
ExTTK="eth1"

#LAN
INTIF="eth2"
LOTIF="lo"

##################

echo "   External Interface 1:  $ExTBT"
echo "   External Interface 2:  $ExDOM"
echo "   External Interface 3:  $ExTTK"
echo "   Internal Interface:  $INTIF"

echo -en "   loading modules: "

echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a


echo "----------------------------------------------------------------------"

echo -en "ip_tables, "
$MODPROBE ip_tables

echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp

echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc

echo -en "iptable_nat, "
$MODPROBE iptable_nat

echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp

echo -en "MASQUERADE, "
$MODPROBE ipt_MASQUERADE

echo "ip_queue."
$MODPROBE ip_queue

echo "----------------------------------------------------------------------"

echo -e "   Done loading modules.\n"

echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "   Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F
$IPTABLES -t nat -X

echo "create anti-scanet chain"
$IPTABLES -N drop_scaners
$IPTABLES -F drop_scaners
$IPTABLES -A drop_scaners -j RETURN
$IPTABLES -I INPUT -j drop_scaners

echo "drop bad packets"
$IPTABLES -A INPUT -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT   -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

echo "   FWD: Allow all connections OUT and only existing and related ones IN"

$IPTABLES -A FORWARD -i $ExTBT -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $ExTBT -j ACCEPT

$IPTABLES -A FORWARD -i $ExDOM -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $ExDOM -j ACCEPT

$IPTABLES -A FORWARD -i $ExTTK -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $ExTTK -j ACCEPT


#users start ETH0
$IPTABLES -A INPUT -i $INTIF -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLESHED
$IPTABLES -A INPUT -i $INTIF -p all -j ACCEPT

$IPTABLES -A INPUT -i $LOTIF -p all -j ACCEPT

echo "------------- SETUP LOADED OK -----------------"

$IPTABLES -A INPUT -i $INTIF -p ICMP -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLESHED
$IPTABLES -A INPUT -i $ExTBT -p ICMP --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $ExTBT -p ICMP --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -i $ExTBT -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLESHED
$IPTABLES -A INPUT -i $ExDOM -p ICMP --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $ExDOM -p ICMP --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -i $ExDOM -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLESHED
$IPTABLES -A INPUT -i $ExTTK -p ICMP --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $ExTTK -p ICMP --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -i $ExTTK -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLESHED


echo "------------- LAN SETUP LOADED OK -----------------"

## TBT = 89.251.xx.xx
## DOM = 91.144.xx.xx
## TTK = 217.23.xx.xx
## LAN = 192.168.16.10

#################
### IPROUTE 2 ###
#################
$IPTABLES -t mangle -A PREROUTING -i $INTIF -m conntrack --ctorigdst 217.23.xx.xx -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -i $INTIF -m conntrack --ctorigdst 89.251.xx.xx -j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -i $INTIF -m conntrack --ctorigdst 91.144.xx.xx -j MARK --set-mark 3

#############
### 16.10 ###
#############
# INPUT - Web (80)
$IPTABLES -A INPUT -i $ExTBT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $ExDOM -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $ExTTK -p tcp --dport 80 -j ACCEPT