#!/bin/bash


ANYDEVS="$ANYDEV"
OURNETS=$OURNET
OURDEVS=$OURDEV


#echo $OURNETS $OURDEVS ; exit

if [ "$DOIT" != "1" ]; then
  echo "dry run : $0"
  exit
fi

  echo "executing : $0"


# allowed incoming / outgoing  TCP services 
TCPIN="smtp,www,ssh"
#TCPOUT="smtp,www,ssh,ftp,ftp-data,irc"
TCPOUT="smtp,www,ssh"

# allowed incoming / outgoing  UDP services 
UDPIN="domain"
UDPOUT="domain"

AUTHIN="auth"
AUTHOUT="auth"

# alowed incoming / outgoing ICMP messages
# look at /usr/include/netinet/ip_icmp.h for names associated with numbers
ICMPIN="0 3 11"
#ICMPIN="0 8 3 11"
ICMPOUT="8 3 11"


# againsta smurf : block ICMP messages coming in our inner net broadcast address
# below $IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURBCAST -j DROP



for DEV in $ANYDEVS; do

# against syn-flood
 #B=$[ WAN_SYN_FLO + 5 ]
 if [ "$WAN_SYN_FLO" != "" ]; then
   $IPTABLES -I INPUT -p tcp --syn -i $DEV -m tos ! --tos 4 -j DROP
   $IPTABLES -I INPUT -t mangle -p tcp --syn -i $DEV -m limit --limit $WAN_SYN_FLO/s -j TOS --set-tos 4
 fi

# against ping of death
 #B=$[ WAN_PIN_DEA + 5 ]
 if [ "$WAN_PIN_DEA" != "" ]; then
   $IPTABLES -I INPUT -p icmp --icmp-type echo-request -i $DEV -m tos ! --tos 4 -j DROP
   $IPTABLES -I INPUT -t mangle -p icmp --icmp-type echo-request -i $DEV -m limit --limit $WAN_PIN_DEA/s -j TOS --set-tos 4
 fi

 if [ "$WAN_LIM_UDP" != "" ]; then
   $IPTABLES -I INPUT -p udp -i $DEV -m tos ! --tos 4 -j DROP
   $IPTABLES -I INPUT -t mangle -p udp -i $DEV -m limit --limit $WAN_LIM_UDP/s -j TOS --set-tos 4
 fi

done

# against syn-flood
if [ "$LAN_SYN_FLO" != "" ]; then
  #B=$[ LAN_SYN_FLO + 5 ]
  for DEV in $OURDEV $LANDEV; do 
     $IPTABLES -I INPUT -p tcp --syn -i $DEV -m tos ! --tos 4 -j DROP
     $IPTABLES -I INPUT -t mangle -p tcp --syn -i $DEV -m limit --limit $LAN_SYN_FLO/s -j TOS --set-tos 4
  done
fi

# against ping of death
if [ "$LAN_PIN_DEA" != "" ]; then
  #B=$[ LAN_PIN_DEA + 5 ]
  for DEV in $OURDEV $LANDEV; do 
     $IPTABLES -I INPUT -p icmp --icmp-type echo-request -i $DEV -m tos ! --tos 4 -j DROP
     $IPTABLES -I INPUT -t mangle -p icmp --icmp-type echo-request -i $DEV -m limit --limit $LAN_PIN_DEA/s -j TOS --set-tos 4
  done
fi

if [ "$LAN_LIM_UDP" != "" ]; then
  for DEV in $OURDEV $LANDEV; do 
     $IPTABLES -I INPUT -p udp -i $DEV -m tos ! --tos 4 -j DROP
     $IPTABLES -I INPUT -t mangle -p udp -i $DEV -m limit --limit $LAN_LIM_UDP/s -j TOS --set-tos 4
  done 
fi


# accept fragmented packets 
$IPTABLES -A FORWARD -f -j ACCEPT
#$IPTABLES -A INPUT -f -j ACCEPT

# TCP
for OURNET in $OURNETS; do
    $IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --destination-port $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
    $IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --source-port $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
done

for OURDEV in $OURDEVS; do
    $IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV --destination-port $UDPOUT -j ACCEPT
    $IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV --source-port $UDPOUT -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -i $OURDEV -m multiport --destination-port $TCPOUT --syn -j ACCEPT

    for I in $ICMPOUT ; do
	$IPTABLES -A FORWARD  -p icmp -i $OURDEV --icmp-type $I -j ACCEPT
    done
done


### defence 

for I in $OURIP $OURIP2; do 

 for OURNET in $OURNETS; do

# againsta smurf : block ICMP messages coming in our inner net broadcast address
    BCAST="`echo $OURNET | cut -f1-1 -d "/" | cut -f1-3 -d "."`.255"
    $IPTABLES -I FORWARD -p icmp -i $ANYDEV -d $BCAST -j DROP
    $IPTABLES -I INPUT -p icmp -i $ANYDEV -d $BCAST -j DROP

# against spoofingiem : drop all packets incoming with our source address
    $IPTABLES -I FORWARD -s $OURNET -i $ANYDEV -j DROP
    $IPTABLES -I INPUT -s $OURNET -i $ANYDEV -j DROP


    for I in $ICMPIN ; do
	$IPTABLES -A FORWARD  -p icmp -i $ANYDEV -d $OURNET  --icmp-type $I -j ACCEPT
    done

 done

done


if [ "$TOTAL_LIMITS" = "1" ]; then
# these rules are redundant, packets go through the default route interface
 for DEV in $ANYDEVS; do

    CON=${CONNLIMIT_OUT}
    if [ "$CON" != "" ]; then
	$IPTABLES -I FORWARD -p tcp --syn -o $DEV -m connlimit --connlimit-above $CON -j REJECT
    fi

    CON=${CONNLIMIT_IN}
    if [ "$CON" != "" ]; then
	 $IPTABLES -I FORWARD -p tcp --syn -i $DEV -m connlimit --connlimit-above $CON -j REJECT
    fi



    LIM=${LIMIT_OUT}
    if [ "$LIM" != "" ]; then
        $IPTABLES -I FORWARD -p tcp --syn -o $DEV -m tos ! --tos 4 -j DROP
        $IPTABLES -I FORWARD -t mangle -p tcp --syn -o $DEV -m limit --limit $LIM/s -j TOS --set-tos 4
    fi

    LIM=${LIMIT_IN}
    if [ "$LIM" != "" ]; then
        $IPTABLES -I FORWARD -p tcp --syn -i $DEV -m tos ! --tos 4 -j DROP
        $IPTABLES -I FORWARD -t mangle -p tcp --syn -i $DEV -m limit --limit $LIM/s -j TOS --set-tos 4
    fi

    LIM=${LIMIU_OUT}
    if [ "$LIM" != "" ]; then
        $IPTABLES -I FORWARD -p udp -o $DEV -m tos ! --tos 4 -j DROP
        $IPTABLES -I FORWARD -t mangle -p udp -o $DEV -m limit --limit $LIM/s -j TOS --set-tos 4
    fi

    LIM=${LIMIU_IN}
    if [ "$LIM" != "" ]; then
	$IPTABLES -I FORWARD -p udp -i $DEV -m tos ! --tos 4 -j DROP
        $IPTABLES -I FORWARD -t mangle -p udp -i $DEV -m limit --limit $LIM/s -j TOS --set-tos 4
    fi

 done
 
fi

