CHAINS="FORWARD INPUT OUTPUT"

OUTSIDE_IF=eth0

# TCP
ipv4_in_allow_tcp()
{
	$iptables -A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 37 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 79 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 109 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 110 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 113 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 119 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 123 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 137:139 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 143 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 177 -j ACCEPT
#	$iptables -A INPUT -p tcp -m state --state NEW --dport 220 -j ACCEPT
	$iptables -A INPUT -i ! $OUTSIDE_IF -p tcp -m state --state NEW --dport 515 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 873 -j ACCEPT
	$iptables -A INPUT -p tcp -m state --state NEW --dport 2121 -j ACCEPT
}

# UDP
ipv4_in_allow_udp()
{
#	$iptables -A INPUT -p udp -m state --state NEW --dport 37 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 67 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 68 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 69 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 123 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 161:162 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 177 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 514 -j ACCEPT
#	$iptables -A INPUT -p udp -m state --state NEW --dport 517:518 -j ACCEPT
	return
}

ipv4_in_drop_udp()
{
	$iptables -A INPUT -p udp -m state --state NEW --dport 67:68 -j DROP
	$iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j DROP
	$iptables -A INPUT -p udp -m state --state NEW --dport 513 -j DROP
}

# Allow RPC for internal net only
ipv4_in_allow_rpc()
{
	typeset prog ver proto port name

	rpcinfo -p localhost 2>/dev/null | sort -n -k4 | uniq -f 2 | \
	while read prog ver proto port name ; do
		[ -z "$name" ] && continue
		if [ "$proto" = "tcp" ] ; then
			$iptables -A INPUT -i ! $OUTSIDE_IF -p $proto -m state --state NEW --dport $port -j ACCEPT
		elif [ "$proto" = "udp" ] ; then
			$iptables -A INPUT -i ! $OUTSIDE_IF -p $proto -m state --state NEW --dport $port -j ACCEPT
		fi
	done
}

ipv4_ads_killer()
{
	CLASS=$1
	[ -s $FIREWALL_DIR/ads.hosts ] || return
	cat $FIREWALL_DIR/ads.hosts | while read LINIA; do
		$iptables -A $CLASS -p tcp -d $LINIA -j REJECT --reject-with icmp-host-prohibited
		$iptables -A $CLASS -p tcp -s $LINIA -j REJECT --reject-with icmp-host-prohibited
	done
}

ipv4_trojan_killer()
{
	CLASS=$1
	[ -s $FIREWALL_DIR/trojan.ports ] || return
	cat $FIREWALL_DIR/trojan.ports | while read LINIA; do
		$iptables -A $CLASS -p tcp -m state --state NEW -m multiport --port $LINIA -j REJECT --reject-with icmp-port-unreachable
	done
}

ipv4_ssh_brute_force_killer()
{
	$iptables -N SSH_BRUTE_FORCE
	$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_BRUTE_FORCE 
#	$iptables -A SSH_BRUTE_FORCE -s $MY_IP_ADDRESSES -j RETURN
#	$iptables -A SSH_BRUTE_FORCE -s $MY_FRIENDS_IP_ADDRESSES -j RETURN
	$iptables -A SSH_BRUTE_FORCE -m recent --set --name SSH
	$iptables -A SSH_BRUTE_FORCE -m recent ! --rcheck --seconds 60 --hitcount 6 --name SSH -j RETURN 
	$iptables -A SSH_BRUTE_FORCE -m recent --update --name SSH
	$iptables -A SSH_BRUTE_FORCE -j LOG --log-prefix "SSH Brute Force Attempt: " 
	$iptables -A SSH_BRUTE_FORCE -p tcp -j TARPIT 
}

ipv4_filter_FORWARD_rules()
{
#	# Block trojan ports:
#	ipv4_trojan_killer FORWARD
#	# Block adverts if need be
#	ipv4_ads_killer FORWARD
	return
}

ipv4_filter_INPUT_rules()
{
#	# INPUT
#	# Selective LOG/DROP/ACCEPT for ICMP
#	$iptables -A INPUT -p icmp -j ICMP
#	# Check if someone is not scanning us first:
#	$iptables -A INPUT -m psd -j SCAN
#
#	ipv4_in_allow_tcp
#	ipv4_in_allow_udp
#	ipv4_in_drop_udp
#	ipv4_in_allow_rpc
#
#	$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#	# Block adverts if need be
#	ipv4_ads_killer INPUT
#	# Block trojan ports:
#	ipv4_trojan_killer INPUT
#	TARPIT SSH brute force scans
#	ipv4_ssh_brute_force_killer()
#	# Block everything else
#	$iptables -A INPUT -m state --state NEW -j LDROP
	return
}

ipv4_filter_OUTPUT_rules()
{
	return
}

# This must be last line !
# vi:syntax=sh:tw=78:ts=8:sw=4
