#!/bin/bash
#
#
# Autor       : Karsten Kruse <tecneeq@gmx.net>
# Website     : http://www.tecneeq.de/
# Lizens      : GPL v2 or higher
# Name        : /etc/init.d/minifire
# Symlink     : /sbin/rcminifire
# Beschreibung: Startscript fuer eine Minifirewall mit Masquerading-Support basierend auf Ip-Tables

### BEGIN INIT INFO
# Provides: Minifirewall
# Required-Start: syslog network
# Required-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start Ip-Tables to allow Masquerading and provide a Firewall.
### END INIT INFO

base=${0##*/}
link=${base#*[SK][0-9][0-9]}

# LSB Return-values
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running

# Read the conf
if [ -f /etc/minifire.conf ] ; then
    . /etc/minifire.conf
else
    echo "ERROR: /etc/minifire.conf nicht gefunden."
    echo "ERROR: Ich beende."
    exit 1
fi

VERSION="0.6a"

if [ $VERSION != $VERSIONCONF ] ; then
    echo "ERROR: Die Version $VERSIONCONF der /etc/minifire.conf"
    echo "       passt nicht zu Version $VERSION der minifire."
    echo "ERROR: Ich beende."
    exit 1
fi

# Funtionen
flush_chains()
{
    $IPTABLES -F
    $IPTABLES -X
}

case "$1" in
    start)
    echo "Starte Minifirewall $VERSION"

    minifw()
    {
    flush_chains                                     # Lösche alte Chains

    echo -e "\tLade Iptablesmodul"                   # Lade iptablesmodule
    $MODPROBE ip_tables

    if [ $LOAD_MASQMOD = ja ]; then                  # Lade Masqmodule
    echo -e "\tLade Masqueradingmodule"
    for MODUL in $MASQ_MODULES; do
        $MODPROBE $MODUL
    done
    fi

    if [ $ANTI_SPOOFING = ja ]; then                 # Anti IP-Spoofing
    echo -e "\tStarte Anti IP Spoofing"
    for FILTER in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $FILTER
    done
    fi

    if [ $ANTI_SPOOFING_LOG = ja ]; then             # Logge IP-Spoofs
    echo -e "\tStarte Anti IP Spoofing Logging"
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
    done
    fi

    if [ $SYNCOOKIE = ja ]; then                     # Schutz vor SYN-Cookies
    echo -e "\tStarte SYN Cookie Schutz"
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    fi

    if [ $DISABLE_ICMP_REDIR = ja ]; then            # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
       echo 0 > $f
    done
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
       echo 0 > $f
    done
    fi

    if [ $DISABLE_SOURCE_ROUTED = ja ]; then         # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done
    fi

    if [ $ENABLE_BROADCAST_ECHO_PROTECT = ja ]; then # Enable broadcast echo Protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    fi

    if [ $ENABLE_BAD_ERROR_MESG_PROTECT = ja ]; then # Enable bad error message Protection
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    fi

    if [ $ALLOW_FORWARD = ja ]; then                 # Starte Forwarding
    echo -e "\tStarte Forwarding"
    echo 1 > /proc/sys/net/ipv4/ip_forward
    fi

    if [ $ALLOW_DYNIP = ja ]; then                   # Erlaube Dynip-Patch
    echo -e "\tErlaube Dyn-IP Patch"
    echo 2 > /proc/sys/net/ipv4/ip_dynaddr
    fi

    ## Erstelle Regeln um alle Verbindungen von $DIAL_OUT zu blocken
    $IPTABLES -N block
    $IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A block -m state --state NEW -i ! $DIAL_OUT -j ACCEPT
    if [ $LOGGING = ja ]; then
        $IPTABLES -A block -j LOG
    fi
    $IPTABLES -A block -j DROP

    ## Erlaube Services
    allowconnect()
    {
    echo -e "\tErlaube Port $2/$1"
    $IPTABLES -A INPUT -p $1 --dport $2 -j ACCEPT
    }
    for PORT in $ALLOW_TCP ; do
        allowconnect tcp $PORT
    done
    for PORT in $ALLOW_UDP ; do
        allowconnect udp $PORT
    done

    ## Diese Services werden ausdrücklich abgelehnt und nicht verworfen
    for PORT in $REJECT_TCP ; do
        $IPTABLES -A INPUT -p tcp --dport $PORT -j REJECT
    done
    for PORT in $REJECT_UDP ; do
        $IPTABLES -A INPUT -p udp --dport $PORT -j REJECT
    done

    ## Diese Ports werden auf einen Rechner im internen Lan weitergeleitet.
    ## Syntax   :  PORTFORWARD_[N]="PROTO PORT ZIEL-IP"

    counter(){
    count=0
    until [ $count = $MAX_FORWARDINGS ] ; do
        count=$(($count+1))
        echo -n " $count"
    done
    }
    portforward()
    {
    if [ $3 ] ; then
        echo -e "\tForwarde Port $2/$1 nach $3"
        $IPTABLES -t nat -A PREROUTING -p $1 -i $DIAL_OUT --dport $2 -j DNAT --to $3
        allowconnect $1 $2
    fi
    }
    for i in `counter` ; do
        portforward ${PORTFORWARD_[$i]}
    done


    ## Verbiete Ping
    if [ $ALLOW_PING = nein ]; then
        echo -e "\tVerbiete Ping"
        $IPTABLES -A INPUT -p icmp --icmp-type echo-request -i $DIAL_OUT -j DROP
    else
        echo -e "\tErlaube Ping"
        $IPTABLES -A INPUT -p icmp --icmp-type echo-request -i $DIAL_OUT -j ACCEPT 
    fi

    
    ## T-DSL fixen
    $IPTABLES -A INPUT -j block
    if [ $FIX_BROKEN_TDSL = ja ]; then
        echo -e "\tFix T-DSL"
        $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    fi
    $IPTABLES -A FORWARD -j ACCEPT
    
    ## Starte Masquerading
    if [ $ALLOW_MASQ = ja ]; then
    echo -e "\tMasquerading"
    $IPTABLES -t nat -A POSTROUTING -o $DIAL_OUT -j MASQUERADE
    fi
    }
    minifw ;;

    stop)
    echo -n "Stoppe Minifirewall"
    $IPTABLES -F
    $IPTABLES -X ;;
    
    restart)
    $0 stop
    $0 start ;;

    status)
    if [ $PAGER ]; then
        $IPTABLES -L -nv --line-numbers | $PAGER
    else
        $IPTABLES -L -nv --line-numbers
    fi ;;
    
    *)
    echo "Benutzung: $0 {start|stop|status|restart}"
    exit 1 ;;
esac