#!/bin/sh 
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_ipt v2.1.14-1 
#
#  Generated Thu Apr 24 13:37:59 2008 CEST by hernad
#
# files: * router-wan-rg-2.fw
#
#
#  
#
#
#


PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH

LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/usr/sbin/iptables"
IPTABLES_RESTORE="/usr/sbin/iptables-restore"
IP="/usr/sbin/ip"
LOGGER="/usr/bin/logger"


#
# Prolog script
#

#
# End of prolog script
#

log() {
  echo "$1"
  test -x "$LOGGER" && $LOGGER -p info "$1"
}

check_file() {
  test -r "$2" || {
    echo "Can not find file $2 referenced by AddressTable object $1"
    exit 1
  }
}

va_num=1
add_addr() {
  addr=$1
  nm=$2
  dev=$3

  type=""
  aadd=""

  L=`$IP -4 link ls $dev | head -n1`
  if test -n "$L"; then
    OIFS=$IFS
    IFS=" /:,<"
    set $L
    type=$4
    IFS=$OIFS
    if test "$type" = "NO-CARRIER"; then
      type=$5
    fi

    L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :`
    if test -n "$L"; then
      OIFS=$IFS
      IFS=" /"
      set $L
      aadd=$2
      IFS=$OIFS
    fi
  fi
  if test -z "$aadd"; then
    if test "$type" = "POINTOPOINT"; then
      $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
      va_num=`expr $va_num + 1`
    fi
    if test "$type" = "BROADCAST"; then
      $IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
      va_num=`expr $va_num + 1`
    fi
  fi
}

getInterfaceVarName() {
  echo $1 | sed 's/\./_/'
}

getaddr() {
  dev=$1
  name=$2
  L=`$IP -4 addr show dev $dev | grep inet | grep -v :`
  test -z "$L" && { 
    eval "$name=''"
    return
  }
  OIFS=$IFS
  IFS=" /"
  set $L
  eval "$name=$2"
  IFS=$OIFS
}


getinterfaces() {
  NAME=$1
  $IP link show | grep ": $NAME" | while read L; do
    OIFS=$IFS
    IFS=" :"
    set $L
    IFS=$OIFS
    echo $2
  done
}


# increment ip address
incaddr()
{
  n1=$4
  n2=$3
  n3=$2
  n4=$1

  vn1=`eval  "echo \\$$n1"`

  R=`expr $vn1 \< 255`
  if test $R = "1"; then
    eval "$n1=`expr $vn1 + 1`"
  else
    eval "$n1=0"
    incaddr XX $n4 $n3 $n2
  fi
}

if $IP link ls >/dev/null 2>&1; then
  echo;
else
  echo "iproute not found"
  exit 1
fi



MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
MODULES=`find $MODULES_DIR -name '*conntrack*'|sed  -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/'`
MODULES="$MODULES `find $MODULES_DIR -name '*nat*'|sed  -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/'`"
for module in $MODULES; do 
  if $LSMOD | grep ${module} >/dev/null; then continue; fi
  $MODPROBE ${module} ||  exit 1 
done


# Using 0 address table files


# Configure interfaces
$IP -4 neigh flush dev br-lan >/dev/null 2>&1
$IP -4 addr flush dev br-lan secondary label "br-lan:FWB*" >/dev/null 2>&1

getaddr ppp1  i_ppp1
getaddr ppp0  i_ppp0

# Add virtual addresses for NAT rules


log 'Activating firewall script generated Thu Apr 24 13:37:59 2008  by hernad'

$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP
ip6tables -L -n > /dev/null 2>&1 && {
  ip6tables -P OUTPUT  DROP
  ip6tables -P INPUT   DROP
  ip6tables -P FORWARD DROP
  ip6tables -A INPUT  -i lo  -j ACCEPT 
  ip6tables -A OUTPUT  -o lo  -j ACCEPT 
}



cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# 
# Rule 0 (NAT)
# 
echo "Rule 0 (NAT)"
# 
# 
test -n "$i_ppp0" && $IPTABLES -t nat -A PREROUTING  -p tcp -m tcp -m multiport   -d $i_ppp0  --dports 25,80,443 -j DNAT --to-destination 192.168.55.12 
# 
# Rule 1 (NAT)
# 
echo "Rule 1 (NAT)"
# 
# 
$IPTABLES -t nat -N Cid480E19E47826.0
$IPTABLES -t nat -A POSTROUTING -o ppp0  -s 192.168.55.0/24 -j Cid480E19E47826.0  
$IPTABLES -t nat -A Cid480E19E47826.0   -d 195.222.62.0/24 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19E47826.0   -d 195.222.57.0/24 -j MASQUERADE  
# 
# Rule 2 (NAT)
# 
echo "Rule 2 (NAT)"
# 
# 
$IPTABLES -t nat -N Cid480E19F97826.0
$IPTABLES -t nat -A POSTROUTING -o ppp1  -s 192.168.55.0/24 -j Cid480E19F97826.0  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 208.0.0.0/4 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 200.0.0.0/5 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 196.0.0.0/6 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 195.224.0.0/11 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 195.222.0.0/15 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 224.0.0.0/4 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 240.0.0.0/5 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 248.0.0.0/6 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 252.0.0.0/7 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 254.0.0.0/8 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.0.0.0/9 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.128.0.0/10 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.192.0.0/11 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.224.0.0/12 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.240.0.0/13 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.248.0.0/14 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.252.0.0/15 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.254.0.0/16 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 255.255.0.0 -j MASQUERADE  
$IPTABLES -t nat -A Cid480E19F97826.0   -d 80.65.85.0/24 -j MASQUERADE  
# 
# Rule 3 (NAT)
# 
echo "Rule 3 (NAT)"
# 
# 
$IPTABLES -t nat -A POSTROUTING -o ppp0  -s 192.168.55.0/24 -j MASQUERADE  
# 
# Rule 0 (lo)
# 
echo "Rule 0 (lo)"
# 
# 
# 
$IPTABLES -A INPUT  -i lo  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT 
# 
# Rule 1 (global)
# 
echo "Rule 1 (global)"
# 
# 
# 
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type 0/0   -m state --state NEW  -j RULE_1 
$IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type 8/0   -m state --state NEW  -j RULE_1 
$IPTABLES -A OUTPUT -p tcp -m tcp  -m multiport  --dports 22,25,443,80  -m state --state NEW  -j RULE_1 
$IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type 0/0   -m state --state NEW  -j RULE_1 
$IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type 8/0   -m state --state NEW  -j RULE_1 
$IPTABLES -A INPUT -p tcp -m tcp  -m multiport  --dports 22,25,443,80  -m state --state NEW  -j RULE_1 
$IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 0/0   -m state --state NEW  -j RULE_1 
$IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 8/0   -m state --state NEW  -j RULE_1 
$IPTABLES -A FORWARD -p tcp -m tcp  -m multiport  --dports 22,25,443,80  -m state --state NEW  -j RULE_1 
$IPTABLES -A RULE_1  -j LOG  --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A RULE_1  -j ACCEPT 
# 
# Rule 2 (global)
# 
echo "Rule 2 (global)"
# 
# 
# 
$IPTABLES -N RULE_2
$IPTABLES -A INPUT  -s 192.168.55.0/24  -m state --state NEW  -j RULE_2 
$IPTABLES -A RULE_2  -j LOG  --log-level info --log-prefix "RULE 2 -- ACCEPT "
$IPTABLES -A RULE_2  -j ACCEPT 
# 
# Rule 3 (global)
# 
echo "Rule 3 (global)"
# 
# Firewall uses one of the machines
# on internal network for DNS
# 
$IPTABLES -A OUTPUT -p tcp -m tcp  -d 192.168.55.0/24  --dport 53  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT -p udp -m udp  -d 192.168.55.0/24  --dport 53  -m state --state NEW  -j ACCEPT 
# 
# Rule 4 (global)
# 
echo "Rule 4 (global)"
# 
# 
# 
$IPTABLES -N Cid480E19897826.0
$IPTABLES -A INPUT -p tcp -m tcp  -m multiport  --dports 53,873  -m state --state NEW  -j Cid480E19897826.0 
$IPTABLES -A INPUT -p udp -m udp  -m multiport  --dports 53,123,1194  -m state --state NEW  -j Cid480E19897826.0 
$IPTABLES -A Cid480E19897826.0  -s 192.168.55.254  -j ACCEPT 
test -n "$i_ppp1" && $IPTABLES -A Cid480E19897826.0  -s $i_ppp1  -j ACCEPT 
test -n "$i_ppp0" && $IPTABLES -A Cid480E19897826.0  -s $i_ppp0  -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp -m tcp  -m multiport  --dports 53,873  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT -p udp -m udp  -m multiport  --dports 53,123,1194  -m state --state NEW  -j ACCEPT 
# 
# Rule 5 (global)
# 
echo "Rule 5 (global)"
# 
# 
# 
$IPTABLES -N RULE_5
$IPTABLES -A INPUT  -s 192.168.55.0/24  -m state --state NEW  -j RULE_5 
$IPTABLES -A OUTPUT  -s 192.168.55.0/24  -m state --state NEW  -j RULE_5 
$IPTABLES -A FORWARD  -s 192.168.55.0/24  -m state --state NEW  -j RULE_5 
$IPTABLES -A RULE_5  -j LOG  --log-level info --log-prefix "RULE 5 -- ACCEPT "
$IPTABLES -A RULE_5  -j ACCEPT 
# 
# Rule 6 (global)
# 
echo "Rule 6 (global)"
# 
# 
# 
$IPTABLES -N RULE_6
$IPTABLES -A OUTPUT  -j RULE_6 
$IPTABLES -A INPUT  -j RULE_6 
$IPTABLES -A FORWARD  -j RULE_6 
$IPTABLES -A RULE_6  -j LOG  --log-level info --log-prefix "POLICY-DENY "
$IPTABLES -A RULE_6  -j DROP 
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward


#
# Epilog script
#


# End of epilog script
#