#! /bin/sh

INTERFACES="eth0 wlan0"

start_firewall() {

set -x

# Load needed kernel modules

modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Clear any existing firewall stuff before we start

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device

iptables -A INPUT -i lo -j ACCEPT

# Related and established connections: see 
#  <a href=http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html>http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html</a>
#
# Accept all incoming traffic associated with an established
# connection, or a "related" connection
#
# This will automatically handle incoming UDP traffic associated with
# DNS queries, as well as PASSIVE mode FTP (provided the
# ip_conntrack_ftp module is loaded)

for f in $INTERFACES
do
iptables -A INPUT -i $f -m state --state ESTABLISHED,RELATED -j ACCEPT
done

# Allow connections on selected ports to the firewalled computer:
#   22 ssh
#   80 web
#   25 smtp (mail)

for f in $INTERFACES
do
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -m state --state NEW -j ACCEPT
done

# Allow icmp input so that people can ping us

iptables -A INPUT -p icmp -j ACCEPT

# Logging: first, eliminate any packets that are going to broadcast
# addresses, since they will overwhelm the log files if there are any
# windows computers on our network. Also, don't log pesky multicast
# packets that we block. 

iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP

# Log all other blocked packets, and change DROP to REJECT to be
# polite and allow people connecting to a blocked port to receive a
# "connection refused" message instead of timing out after 30 seconds.

iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT

}

stop_firewall() {

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT

}

case "$1" in
    start)
        echo -n "Starting firewall:"
        start_firewall()
	echo " done."
        ;;
    stop)
        echo -n "Stopping firewall:"
	stop_firewall()
	echo " done."
        ;;
    restart)
        $0 stop  &&  $0 start
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
        ;;
 esac