#!/bin/bash
#
# Copyright (C) 2002 Conectiva S.A.
# License: GPL
#
# Author: Andreas Hasenack <andreas@conectiva.com.br>
#
# Based on "firewall-standalone" by Roaring Penguin Softare Inc.
# for the rp-pppoe package
#
# This simple "firewall" is for stand-alone machines, that is,
# no (masqueraded or not) network behind them
#

# Interface to the internet
EXTIF=ppp+

IPTABLES=/usr/sbin/iptables

# load some modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

$IPTABLES -F
$IPTABLES -X

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -N drop_log
$IPTABLES -A drop_log -j LOG --log-prefix "drop_log "
$IPTABLES -A drop_log -j DROP

$IPTABLES -N spoof_drop_log
$IPTABLES -A spoof_drop_log -j LOG --log-prefix "spoof_drop_log "
$IPTABLES -A spoof_drop_log -j DROP

$IPTABLES -N spoof_check
$IPTABLES -A spoof_check -s 192.168.0.0/16 -j spoof_drop_log
$IPTABLES -A spoof_check -s 10.0.0.0/8 -j spoof_drop_log
$IPTABLES -A spoof_check -s 172.16.0.0/12 -j spoof_drop_log
$IPTABLES -A spoof_check -s 127.0.0.0/8 -j spoof_drop_log

$IPTABLES -A INPUT -i !$EXTIF -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j spoof_check
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j drop_log
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A OUTPUT -j drop_log
