#!/bin/bash


if [ "$DOIT" != "1" ]; then
  echo "dry run : $0"
  exit
fi

  echo "executing : $0"

DIR=/ips
  
if [ "$IPTABLES" = "" ]; then
  IPTABLES=/ips/iptables
fi


ICMPIN="0 3 8 11"
ICMPOUT="8 3 11"

I=$OURIP

#  accepted icmp :  icmp_type IT -> box
for J in $ICMPIN ; do
$IPTABLES -A INPUT  -p icmp -i $ANYDEV -d $I  --icmp-type $J -j ACCEPT
done

# windo ... 
$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --destination-port 135 -j DROP
$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --destination-port 137 -j DROP
$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --destination-port 138 -j DROP
$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --destination-port 139 -j DROP
$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --destination-port 445 -j DROP



# dnat example : $IPTABLES -A PREROUTING -t nat -p tcp -d $OURIP --destination-port 21 -j DNAT --to-destination 192.168.0.102:21

#  .box .cli .ser 

# box's dns  
#$IPTABLES -A INPUT -p udp --source-port 53 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --source-port 53 -j ACCEPT

# box's cups 
#$IPTABLES -A INPUT -p tcp -s 127.0.0.1  --destination-port 631 -j ACCEPT

# box's ftp
#$IPTABLES -A INPUT -p tcp --source-port 20 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --source-port 21 -j ACCEPT

# access from the world to the box 
#$IPTABLES -A INPUT -i $ANYDEV -s 200.0.0.199 -j ACCEPT

# ftp active mode from the box to the world
#$IPTABLES -A INPUT -i $ANYDEV -s 213.25.173.135 -j ACCEPT

# box's vnc
#$IPTABLES -A INPUT -i $ANYDEV -d $OURIP -p tcp --source-port 5900:5934 -j ACCEPT



###    box as client    ip:sport IT -> box

# only temporary
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --source-port 0:65535 -j ACCEPT
# ports 0:1024 - the line below protects the router

# default : should be in /ips/box/cli
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --source-port 0:1024 -j ACCEPT

# !!!!! don't uncomment the line below
#  !!!  until additional protection on -dports 0:65535 is available
#   !   else the router is under the fire
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --source-port 0:65535 -j ACCEPT

# extra ssh client
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --source-port 10022 -j ACCEPT
#   mysql  client
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --source-port 3306 -j ACCEPT
# tfsd  client 
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --source-port 6717 -j ACCEPT
# trexd  client since 17.0.3.2007 dynamic
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --source-port 6617 -j ACCEPT



###  box as server   IT -> box ip:dport

# as ssh server
# for all $IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --destination-port 22 -j ACCEPT
# only for ip 212.244.167.130 
#$IPTABLES -A INPUT -i $ANYDEV -s 212.244.167.130 -d $I -p tcp --destination-port 22 -j ACCEPT
# as www server
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --destination-port 80 -j ACCEPT
# as auth server
#$IPTABLES -A INPUT -i $ANYDEV -d $I -p tcp --destination-port 113 -j ACCEPT


