CHAINS="FORWARD INPUT OUTPUT"

OUTSIDE_IF=eth0

# TCP
ipv4_in_allow_tcp()
{
	$iptables -A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 37 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 79 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 109 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 110 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 113 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 119 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 123 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 137:139 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 143 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 177 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 220 -j ACCEPT
	$iptables -A INPUT -i ! $OUTSIDE_IF -p tcp -m state --state NEW --dport 515 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 873 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 2121 -j ACCEPT
}

# UDP
ipv4_in_allow_udp()
{
#	$iptables -A INPUT -p udp -m state --state NEW --dport 37 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 67 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 68 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 69 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 123 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 161:162 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 177 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 514 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 517:518 -j ACCEPT
}

ipv4_in_drop_udp()
{
	$iptables -A INPUT -p udp -m state --state NEW --dport 67:68 -j DROP
	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j DROP
	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j DROP
}

# Allow RPC for internal net only
ipv4_in_allow_rpc()
{
	local prog ver proto port name

	rpcinfo -p localhost 2>/dev/null | sort -n +3 | uniq -f 2 | \
	while read prog ver proto port name ; do
		[ -z "$name" ] && continue
		if [ "$proto" = "tcp" ] ; then
			$iptables -A INPUT -i ! $OUTSIDE_IF -p $proto -m state --state NEW --dport $port -j ACCEPT
		elif [ "$proto" = "udp" ] ; then
			$iptables -A INPUT -i ! $OUTSIDE_IF -p $proto -m state --state NEW --dport $port -j ACCEPT
		fi
	done
}

ipv4_filter_FORWARD_rules()
{
}

ipv4_filter_INPUT_rules()
{
#	# INPUT
#	# Selective LOG/DROP/ACCEPT for ICMP
#	$iptables -A INPUT -p icmp -j ICMP
#	# Check if someone is not scanning us first:
#	$iptables -A INPUT -m psd -j SCAN
#
#	ipv4_in_allow_tcp
#	ipv4_in_allow_udp
#	ipv4_in_drop_udp
#	ipv4_in_allow_rpc
#
#	$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#	# Block everything else
#	$iptables -A INPUT -m state --state NEW -j LDROP
}

ipv4_filter_OUTPUT_rules()
{
}

# This must be last line !
# vi:syntax=sh:tw=78:ts=8:sw=4
