#!/bin/sh
#
# rc.fw-host: firewall script for a single workstation.
#
# Copyright (C) Alessandro Dotti Contra <adotti@users.sourceforge.net>
#
#==============================================================================
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# For any questions related to this software, please write to:
#
# Alessandro Dotti Contra
# v. Verne, 6
# 40128 Bologna ITALY
#
# or email to: adotti@users.sourceforge.net
#==============================================================================
#
# rc.fw-host,v
# Revision 1.1  2005/03/16 20:33:05  adotti
# First public release.
#
#
#==============================================================================

#
# FIREWALL CONFIGURATION
#

NET_IFACE="eth0"
LO_IFACE="lo"
IPTABLES="/sbin/iptables"

case "$1" in
'start')
	echo "Enforcing firewall rules"

	#
	# Set default policy for the chains (table filter)
	#
		
	$IPTABLES -P INPUT DROP
	$IPTABLES -P FORWARD DROP
	$IPTABLES -P OUTPUT DROP
	
	#
	# INPUT 
	#

	# Loopback traffic

	$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
	
	# Statefull settings
	
	$IPTABLES -A INPUT -i $NET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Log incoming rejected connections

	$IPTABLES -A INPUT -i $NET_IFACE -j LOG --log-level warning --log-prefix "IN NET REJ: "

	#
	# OUTPUT
	#

	$IPTABLES -A OUTPUT -j ACCEPT
	;;
'stop')
	echo "Removing firewall rules"
	
	#
	# Reset the default policies in the filter table
	#

	$IPTABLES -P INPUT ACCEPT
	$IPTABLES -P OUTPUT ACCEPT
	$IPTABLES -P FORWARD ACCEPT

	#
	# Reset the default policies in the nat table
	#

	$IPTABLES -t nat -P PREROUTING ACCEPT
	$IPTABLES -t nat -P POSTROUTING ACCEPT
	$IPTABLES -t nat -P OUTPUT ACCEPT

	#
	# Reset the default policies in the mangle table
	#

	$IPTABLES -t mangle -P PREROUTING ACCEPT
	$IPTABLES -t mangle -P POSTROUTING ACCEPT
	$IPTABLES -t mangle -P INPUT ACCEPT
	$IPTABLES -t mangle -P FORWARD ACCEPT
	$IPTABLES -t mangle -P OUTPUT ACCEPT

	#
	# Flush all the rules in all tables
	#

	$IPTABLES -F -t filter
	$IPTABLES -F -t nat
	$IPTABLES -F -t mangle

	#
	# Delete all user defined chains in all tables
	#

	$IPTABLES -X -t filter
	$IPTABLES -X -t nat
	$IPTABLES -X -t mangle
	;;
*)
	echo "Usage: $(basename $0) (start|stop)"
esac