CHAINS="FORWARD INPUT OUTPUT"

# TCP
ipv4_in_allow_tcp()
{
	$iptables -A INPUT -p tcp -m state --state NEW --dport 20:21 -j SAFEACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 23 -j SAFEACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 25 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 37 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 53 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 79 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 109 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 110 -j SAFEACCEPT
	$iptables -A INPUT -i ! lec0 -p tcp -m state --state NEW --dport 111 -j SAFEACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 113 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 119 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 123 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 137:139 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 143 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 177 -j SAFEACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 220 -j SAFEACCEPT
	$iptables -A INPUT -i ! lec0 -p tcp -m state --state NEW --dport 515 -j SAFEACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 873 -j SAFEACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 2121 -j SAFEACCEPT
}

# UDP
ipv4_in_allow_udp()
{
#	$iptables -A INPUT -p udp -m state --state NEW --dport 37 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 67 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 68 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 69 -j ACCEPT
	$iptables -A INPUT -i ! lec0 -p udp -m state --state NEW --dport 111 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 123 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 161:162 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 177 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 514 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 517:518 -j ACCEPT
}

ipv4_in_drop_udp()
{
	$iptables -A INPUT -p udp -m state --state NEW --dport 67:68 -j DROP
	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j DROP
	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j DROP
}

# Allow RPC for internal net only (BTW awk rocks)
ipv4_in_allow_rpc()
{
	if rpcinfo -p localhost >/dev/null 2>&1 ; then
		rpcinfo -p localhost | sort -n +3 | uniq -f 2 | \
		awk '!/portmap/ && /tcp/ {system("iptables -A INPUT -i ! lec0 -p " $3 " -m state --state NEW --dport " $4 " -j SAFEACCEPT")} \
		     !/portmap/ && /udp/ {system("iptables -A INPUT -i ! lec0 -p " $3 " -m state --state NEW --dport " $4 " -j ACCEPT")}'
	fi
}

ipv4_filter_FORWARD_rules()
{
}

ipv4_filter_INPUT_rules()
{
#	# INPUT
#	# Check if someone is not scanning us first:
#	$iptables -A INPUT -p icmp -j ICMP
#	$iptables -A INPUT -m psd -j SCAN
#
#	ipv4_in_allow_tcp
#	ipv4_in_allow_udp
#	ipv4_in_drop_udp
#	ipv4_in_allow_rpc
#
#	$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#	# Block everything else
#	$iptables -A INPUT -m state --state NEW -j SAFEDROP
}

ipv4_filter_OUTPUT_rules()
{
}

# This must be last line !
# vi:syntax=sh:tw=78:ts=8:sw=4
