rc.firewall

LAN_IFACE=eth1
LAN_IP=192.168.1.22
LAN_IP_RANGE=192.168.1.0/24
LAN_BCAST_ADRESS=192.168.1.255/24

LAN2_IP=192.168.2.22
LAN2_IP_RANGE=192.168.2.0/24
LAN2_BCAST_ADRESS=192.168.2.255/24

INET_IFACE=eth0
STATIC_IP=192.168.100.1
LO_IFACE=lo
LOCALHOST_IP=127.0.0.1

PPP0_IFACE=ppp0
PPP0_IP=$(ifconfig $PPP0_IFACE | grep inet | cut -f2 -d ':' | cut -f1 -d ' ')
echo $PPP0_IP

IPTABLES="/usr/sbin/iptables"
IPSET="/usr/sbin/ipset"

/sbin/modprobe ip_tables
/sbin/modprobe ip_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/proxy_arp

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPSET -X
$IPSET -N whitelist bitmap:ip,mac range $LAN_IP_RANGE
$IPSET -N whitelistd bitmap:ip,mac range $LAN_IP_RANGE
$IPSET -N ipwhite iphash

for i in $(cat /home/scripts/iplist/ipmac.lst | cut -d '#' -f 1)
do
    if [ ! a"$i" == a ]; then
        $IPSET add whitelist $i    #
    fi
done

for i in $(cat /home/scripts/iplist/ipmac_dubles.lst | cut -d '#' -f 1)
do
    if [ ! a"$i" == a ]; then
        $IPSET add whitelistd $i    #
    fi
done

for i in $(cat /home/scripts/iplist/ip.lst | cut -d '#' -f 1)
do
    if [ ! a"$i" == a ]; then
        $IPSET add ipwhite $i     #
    fi
done

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -N bad_tcp_packets

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
$IPTABLES -N fw_allow

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "Bad TCP packet: "
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

$IPTABLES -A fw_allow -j ACCEPT


$IPTABLES -t nat -A POSTROUTING -o $PPP0_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $PPP0_IP

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p udp -i $LAN_IFACE --dport 67 -j DROP
$IPTABLES -A FORWARD -p udp -i $LAN_IFACE --dport 68 -j DROP
$IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set whitelist src,src -j fw_allow
$IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set whitelistd src,src -j fw_allow
$IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -m set --match-set ipwhite src -j fw_allow

$IPTABLES -A FORWARD -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT FORWARD packet died: "

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ALL -d $STATIC_IP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d 255.255.255.255 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $STATIC_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN2_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $STATIC_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $PPP0_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT INPUT packet died: "

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $PPP0_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT OUTPUT packet died: "