#!/bin/sh
# Firewall
# This is a simple firewall rules to setup a masquerading

# The settings
GREEN_NET="10.0.0.0/8"
DYNAMIC=yes
OPEN_PORTS="--all"
#OPEN_PORTS="ssh,domain,http,netbios-ns,netbios-dgm,netbios-ssn"

# That's all
# No need to change anything after this
IPT="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"

## load modules
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp  
$MODPROBE ip_nat_irc 
$MODPROBE ip_conntrack  
$MODPROBE ip_conntrack_ftp  
$MODPROBE ip_conntrack_irc  

firewall_disable_forwarding()
{
  echo "0" > /proc/sys/net/ipv4/ip_forward 
}

firewall_enable_forwarding()
{
  echo "1" > /proc/sys/net/ipv4/ip_forward
}

firewall_clear()
{
  ## Clear all rules
  $IPT -F 
  $IPT -F -t nat 
  $IPT -F -t mangle 
  $IPT -X 
}

firewall_default()
{
  $IPT -P INPUT DROP
  $IPT -P FORWARD DROP
  $IPT -P OUTPUT ACCEPT
}

firewall_redirect()
{
  $IPT -t nat -A POSTROUTING -o eth0 -s 10.0.0.101 -d ! 10.0.0.0/8 \
       -j SNAT --to-source 134.115.124.63
  $IPT -t nat -A PREROUTING -i eth0 -d 134.115.124.63 \
       -j DNAT --to-destination 10.0.0.101
  $IPT -A FORWARD -i eth0 -d 10.0.0.101 -j ACCEPT
}

firewall_masquerade()
{

  #--------------------------------  
  # Masquerading
  if [ "$DYNAMIC" = "yes" ]; then
    $IPT -t nat -A POSTROUTING -s $GREEN_NET -d ! $GREEN_NET -j MASQUERADE
  else
    $IPT -t nat -A POSTROUTING -s $GREEN_NET -d ! $GREEN_NET -j SNAT
  fi
   
  $IPT -A FORWARD -s $GREEN_NET -j ACCEPT
  $IPT -A FORWARD -d $GREEN_NET -m state --state ESTABLISHED,RELATED -j ACCEPT  
}



firewall_open()
{
  if [ "$OPEN_PORTS" == "--all" ]; then
    $IPT -A INPUT -j ACCEPT
  else
    $IPT -A INPUT -i lo -j ACCEPT 
    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -p tcp -m multiport --dports $OPEN_PORTS -j ACCEPT
    $IPT -A INPUT -p udp -m multiport --dports $OPEN_PORTS -j ACCEPT
  fi
}


firewall_start() {
  echo "Starting firewall ..."
  firewall_disable_forwarding
  firewall_clear
  firewall_default

  firewall_redirect
  firewall_masquerade
  firewall_open
  
  firewall_enable_forwarding  
}

firewall_stop()
{
  echo "Stopping firewall ..."
  firewall_clear
}

case "$1" in
  'start')
    firewall_start
    ;;
  'stop')
    firewall_stop
    ;;
  'restart')
    firewall_stop
    sleep 2
    firewall_start
    ;;
  *)
    firewall_start
esac

