#!/bin/sh
FWVER=0.63
echo -e "Loading simple rc.firewall version $FWVER..\n"

IPTABLES=/sbin/iptables

#To determine WAN interface
getcfg wanif
case "$?" in
        1 | 2 )
                EXTIF="ppp0"
        ;;
        *)
                EXTIF="eth0"
        ;;
esac

INTIF="eth1"

echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"

#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 
#   enable this following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
#echo "   enabling DynamicAddr.."
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable simple IP forwarding and Masquerading
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address in the
#            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
#            connecting to the Internet on external interface "eth0".  This
#            example will MASQ internal traffic out to the Internet not not
#            allow non-initiated traffic into your internal network.
#
#            
#         ** Please change the above network numbers, subnet mask, and your 
#         *** Internet connection interface name to match your setup
#         


#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP
#
#echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F

#echo "   Enabling URL logging"
#$IPTABLES -A FORWARD -p tcp --dport 80 -j LOG 
#echo -e "Done.\n"


#echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 135 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 139 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 515 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 548 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 137 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 138 -j DROP

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
