#!/bin/sh - keep it for file(1) to get bourne shell script result

CHAINS="FORWARD INPUT OUTPUT"

OUTSIDE_IF=eth0

ipv4_filter_FORWARD_rules()
{
	# Block trojan ports:
#	ipv4_trojan_killer FORWARD
	# Block adverts if need be
#	ipv4_ads_killer FORWARD
	return
}

ipv4_filter_INPUT_rules()
{
	# INPUT
	# Selective LOG/DROP/ACCEPT for ICMP
#	$iptables -A INPUT -p icmp -j ICMP
	# Check if someone is not scanning us first:
#	$iptables -A INPUT -m psd -j SCAN

#	$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#	$iptables -A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 37 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 37 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 67 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 68 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 69 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 79 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 109 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 110 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 113 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 119 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 123 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 123 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 137:139 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 143 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 161:162 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 177 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 177 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 220 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 513:514 -j ACCEPT
#	$iptables -A INPUT -i ! $OUTSIDE_IF -p tcp -m state --state NEW --dport 515 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 517:518 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 873 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 2121 -j ACCEPT

#	$iptables -A INPUT -p udp -m state --state NEW --dport 67:68 -j DROP
#	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j DROP
#	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j DROP

#	ipv4_in_allow_rpc

	# Block adverts if need be
#	ipv4_ads_killer INPUT
	# Block trojan ports:
#	ipv4_trojan_killer INPUT

	# DROP SSH brute force scans
#	$iptables -N SSH_BRUTE_FORCE
#	$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_BRUTE_FORCE
#	$iptables -A SSH_BRUTE_FORCE -s $MY_IP_ADDRESSES -j RETURN
#	$iptables -A SSH_BRUTE_FORCE -s $MY_FRIENDS_IP_ADDRESSES -j RETURN
#	$iptables -A SSH_BRUTE_FORCE -m recent --set --name SSH
#	$iptables -A SSH_BRUTE_FORCE -m recent ! --rcheck --seconds 60 --hitcount 6 --name SSH -j RETURN
#	$iptables -A SSH_BRUTE_FORCE -m recent --update --name SSH
#	$iptables -A SSH_BRUTE_FORCE -j LOG --log-prefix "SSH Brute Force Attempt: "
#	$iptables -A SSH_BRUTE_FORCE -p tcp -j DROP

	# Block and log everything else
#	$iptables -A INPUT -m state --state NEW -j LDROP
	return
}

ipv4_filter_OUTPUT_rules()
{
	return
}

# Allow RPC for internal net only
ipv4_in_allow_rpc()
{
	local prog ver proto port name

	[ -x /usr/sbin/rpcinfo ] || return

	/usr/sbin/rpcinfo -p localhost 2>/dev/null | sort -n -k4 | uniq -f 2 | \
	while read prog ver proto port name ; do
		[ -z "$name" ] && continue
		if [ "$proto" = "tcp" ] ; then
			$iptables -A INPUT -i ! $OUTSIDE_IF -p $proto -m state --state NEW --dport $port -j ACCEPT
		elif [ "$proto" = "udp" ] ; then
			$iptables -A INPUT -i ! $OUTSIDE_IF -p $proto -m state --state NEW --dport $port -j ACCEPT
		fi
	done
}

ipv4_ads_killer()
{
	CLASS=$1
	[ -s $FIREWALL_DIR/ads.hosts ] || return
	cat $FIREWALL_DIR/ads.hosts | while read LINIA; do
		$iptables -A $CLASS -p tcp -d $LINIA -j REJECT --reject-with icmp-host-prohibited
		$iptables -A $CLASS -p tcp -s $LINIA -j REJECT --reject-with icmp-host-prohibited
	done
}

ipv4_trojan_killer()
{
	CLASS=$1
	[ -s $FIREWALL_DIR/trojan.ports ] || return
	cat $FIREWALL_DIR/trojan.ports | while read LINIA; do
		$iptables -A $CLASS -p tcp -m state --state NEW -m multiport --port $LINIA -j REJECT --reject-with icmp-port-unreachable
	done
}
