#!/bin/sh
# kreator, 2001

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

echo -ne "Setting firewall rules... "

# flush and delete all rules
iptables -F -t filter
iptables -X -t filter
iptables -F -t mangle
iptables -X -t mangle

# allow ipv6
iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
#iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT

# define rule chain 
iptables -N block

# accept all established connections initiated by our side
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT

# accept all connections on ident port
iptables -A block -m state --state NEW,ESTABLISHED,RELATED \
	--protocol tcp --dport ident -i ppp0 -j ACCEPT
iptables -A block -m state --state NEW,ESTABLISHED,RELATED \
	--protocol tcp --sport ident -i ppp0 -j ACCEPT

# anoncvs
iptables -A block -m state --state NEW,ESTABLISHED,RELATED \
	--protocol tcp --dport 2401 -i ppp0 -j ACCEPT
#iptables -A block -m state --state NEW,ESTABLISHED,RELATED \
#	--protocol tcp --sport 2401 -i ppp0 -j ACCEPT
	
# accept all connections on 9999 port (netcopy)
iptables -A block -m state --state NEW,ESTABLISHED,RELATED \
        --protocol tcp --dport 9999 -i ppp0 -j ACCEPT
#iptables -A block -m state --state NEW,ESTABLISHED,RELATED \
#        --protocol tcp --sport 9999 -i ppp0 -j ACCEPT

# fancy icmp reject
#iptables -A block --protocol icmp -i ppp0 -m limit --limit 1/s \
#	  -j REJECT --reject-with icmp-host-prohibited
		
# accept all new connections if not originating from ppp0 interface
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT

# default policy is log and drop
iptables -A block -m limit -j LOG
iptables -A block -j DROP

# all in input chain we forward to our rules
iptables -A INPUT -j block

# do some logging
iptables -A FORWARD -m limit -j LOG

# SYNflood protection
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# ping of death protection
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit \
	--limit 1/s -j ACCEPT

# port scanner protection
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \
  --limit 1

# and forward chain default is block
iptables -A FORWARD -j block

# setup TOS values
iptables -A OUTPUT -t mangle -p tcp --sport telnet \
      -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --sport ssh \
      -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --sport ftp \
      -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --sport ftp-data \
      -j TOS --set-tos Maximize-Throughput
iptables -A OUTPUT -t mangle -p tcp --sport www \
      -j TOS --set-tos Maximize-Throughput
iptables -A OUTPUT -t mangle -p tcp --sport 161 \
      -j TOS --set-tos Maximize-Reliability
iptables -A OUTPUT -t mangle -p tcp --sport domain \
      -j TOS --set-tos Maximize-Reliability
iptables -A OUTPUT -t mangle -p tcp --sport smtp \
      -j TOS --set-tos Minimize-Cost

echo "done."

exit 0