#!/bin/sh
# /etc/rc.d/rc.firewall

# start/stop/restart iptables firewall rules

# base script generated by Easy Firewall Generator
# copyright 2002 Timothy Scott Morizot
# http://easyfwgen.morizot.net/gen/
# slackware specific version available at
# http://www.slackware.com/~alien/efg/

# modified liberally thereafter

# modified for colorized screen messages and local needs
source /etc/functions-colors

# Kernel parameters are configured by sysctl from within
# /etc/rc.d/rc.S and /etc/sysctl.conf

# default internet connection defined in rc.inet1.conf
# primarily need this sourced for the GATEWAY variable,
# but other needs might emerge if this script is revised
source /etc/rc.d/rc.inet1.conf

# Localhost interface
LO_IFACE="lo"
LO_IP="127.0.0.1"

# The default connection point to the internet:
# INET_IFACE can be redefined by passing $2 parameter
# check for a virtual bridge rather than standard interface
if [ -n "`ifconfig | grep br0`" ]; then
  INET_IFACE="br0"
else
  INET_IFACE="eth0"
fi
# INET_IFACE="eth1"
# INET_IFACE="ppp0"
# INET_IFACE="wlan0"

# LAN interface information
LAN_NET="192.168.1.0/24"
LAN_BCAST="192.168.1.255"

# is this box a NAT/router/gateway box for a LAN?
# NAT_SERVER="yes"

# does this box provide FTP services to outside the LAN?
# FTP_SERVER="yes"

# does this box provide DHCP services?
# DHCP_SERVER="yes"

# does this box provide SSH services to outside the LAN?
# ALLOW_OUTSIDE_SSH="yes"
# SSH_PORT="22"

# does this box use a transparent proxy?
# be sure to verify the correct proxy owner name is used
# in the iptables firewall rules
TRANS_PROXY="yes"
PROXY_PORT="3128"

# do you want the firewall to allow outside pings?
# ALLOW_OUTSIDE_PINGS="yes"
# do you want the firewall to log outside pings?
# LOG_OUTSIDE_PINGS="yes"

# modprobe and iptables location
MODPROBE="/sbin/modprobe"
IPT="/usr/sbin/iptables"

# Function to establish a LAN gateway
gateway_up() {
if ! /sbin/route -n | grep "^0.0.0.0" 1> /dev/null ; then
  if [ "$GATEWAY" != "" ]; then
    if [ "${INET_IFACE:0:3}" = "ppp" ] ; then
      /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw ${GATEWAY} metric 1 2>&1 | $LOGGER
      echo -e "Added ${BOLDGREEN}$GATEWAY${COLOR_RESET} as the LAN gateway route."
    else
     /sbin/route add default gw ${GATEWAY} metric 1 2>&1 | $LOGGER
      echo -e "Added ${BOLDGREEN}$GATEWAY${COLOR_RESET} as the default gateway route."
    fi
  fi
fi
}

# Function to delete an existing default gateway
gateway_down() {
if /sbin/route -n | grep "^0.0.0.0" 1> /dev/null ; then
  /sbin/route del default 2>/dev/null
  echo -e "${BOLDWHITE}Deleted default gateways.${COLOR_RESET}"
fi
}

firewall_flush ()
{
# Flush Any Existing Rules or Chains
echo "Flushing firewall tables."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

echo "Firewall flushed."
}

Initialize ()
{
# flush tables
# Disable IPv4 packet forwarding support.
sh /etc/rc.d/rc.ip_forward stop
IP_FORWARD=0
firewall_flush
}

# Tell the viewers what's going to happen.
echo -e "${BOLDWHITE}Configuring firewall:${COLOR_RESET}"

# allow INET_IFACE to be modified by an external dialup_start script
if [ "$DIALUP" != "" ] ; then
  INET_IFACE=$DIALUP
fi

if [ "$INET_IFACE" = "" ] ; then
  echo -e "No internet interface is defined in ${BOLDGREEN}/etc/rc.d/rc.inet1.conf${COLOR_RESET}. Exiting."
  exit 1
fi

# presumption here is that eth0 serves the LAN and eth1 connects to the web
# a statically defined address usually means a LAN rather than internet connection
# of course, both addresses might be dynamically assigned
if [ "$IPADDR[0]" != "" ] ; then
  # are we connected through a virtual bridge?
  if [ "$INET_IFACE" = "br0" ]; then
    LAN_IFACE="br0"
  else
    LAN_IFACE="eth0"
  fi
elif [ "$IPADDR[1]" != "" ] ; then
  LAN_IFACE="eth1"
fi
LAN_IP=$IPADDR

# determine internet IP address
if [ "$INET_IFACE" != "" ] ; then
  INET_IP="`ifconfig $INET_IFACE | grep "inet addr:" | awk '{print $2}' | sed -e 's/addr\://'`"
fi

if [ "$1" != "" ] ; then
  PARAM1=$1
fi
if [ "$2" != "" ] ; then
  PARAM2=$2
fi

# is this box a NAT/router/gateway box for a LAN?
if [ "$NAT_SERVER" = "yes" ] && [ "$PARAM1" != "stop" ] ; then
  PARAM1=gateway
fi

if [ "$PARAM1" = "stop" ] ; then
  Initialize
  echo -e "${BOLDRED}Now running with no firewall!${COLOR_RESET}"
  exit 0
elif [ "$PARAM1" = "gateway" ] ; then
  Initialize
  if [ "$PARAM2" != "" ] ; then
    LAN_IFACE=$PARAM2
    # ${VARIABLE:Offset:Count}
    if [ "${PARAM2:0:3}" = "ppp" ] || [ "${PARAM2:0:3}" = "eth" ] || [ "${PARAM2:0:2}" = "br" ] || [ "${PARAM2:0:4}" = "wlan" ] ; then
      INET_IFACE=$PARAM2
      # determine internet IP address
      if [ "$INET_IFACE" != "" ] ; then
        INET_IP="`ifconfig $INET_IFACE | grep "inet addr:" | awk '{print $2}' | sed -e 's/addr\://'`"
      fi
    fi
  fi
  FWSCRIPT="/etc/rc.d/rc.firewall-gateway"
  # Tell the viewers what's going to happen.
  echo -e "${BOLDWHITE}Configuring firewall to provide ${BOLDGREEN}gateway${BOLDWHITE} services.${COLOR_RESET}"
  # gateway is assigned dynamically by the ISP
  # gateway_down
  # gateway_up
  # Tell the viewers what's going to happen.
  echo -e "LAN interface: ${BOLDGREEN}$LAN_IFACE${COLOR_RESET}"
  echo -e "LAN IP address: ${BOLDGREEN}$LAN_IP${COLOR_RESET}"
  echo -e "Internet interface: ${BOLDGREEN}$INET_IFACE${COLOR_RESET}"
  echo -e "Internet IP address: ${BOLDGREEN}$INET_IP${COLOR_RESET}"
  # Enable IPv4 packet forwarding support.
  if [ -x /etc/rc.d/rc.ip_forward ] ; then
    /etc/rc.d/rc.ip_forward start
    IP_FORWARD=1
  else
    echo -e "${BOLDWHITE}Manually force-starting IP forwarding. Please ${BOLDGREEN}chmod +x /etc/rc.d/rc.ip_forward${BOLDWHITE}.${COLOR_RESET}"
    sh /etc/rc.d/rc.ip_forward start
  fi
elif [ "$PARAM1" = "start" ] || [ "$PARAM1" = "lan" ] ; then
  Initialize
  if [ "$IPADDR" != "" ] ; then
    # assume at least a lan workstation but denied access to the internet
    INET_IFACE=$LAN_IFACE
    FWSCRIPT="/etc/rc.d/rc.firewall-lan"
    # Tell the viewers what's going to happen.
    echo -e "${BOLDWHITE}Configuring firewall for a ${BOLDGREEN}LAN${BOLDWHITE} workstation.${COLOR_RESET}"
    # for 'start' parameter assume gateway/router is already established in rc.d/rc.inet1
    # if gateway is not statically assigned in rc.inet1.conf, then this LAN box will have
    # no access to the internet
    gateway_down
    if [ "$GATEWAY" != "" ] ; then
      gateway_up
      echo -e "LAN Gateway IP: ${BOLDGREEN}$GATEWAY${COLOR_RESET}"
    fi
    # Tell the viewers what's going to happen.
    echo -e "LAN interface: ${BOLDGREEN}$LAN_IFACE${COLOR_RESET}"
    echo -e "LAN IP address: ${BOLDGREEN}$LAN_IP${COLOR_RESET}"
    echo -e "Internet interface: ${BOLDGREEN}$INET_IFACE${COLOR_RESET}"
    echo -e "Internet IP address: ${BOLDGREEN}$INET_IP${COLOR_RESET}"
    # Enable IPv4 packet forwarding support.
    if [ -x /etc/rc.d/rc.ip_forward ] ; then
      /etc/rc.d/rc.ip_forward start
      IP_FORWARD=1
    fi
  else # $IPADDR variable is empty
    # only thing remaining is to assume a stand-alone box on dial-up
    FWSCRIPT="/etc/rc.d/rc.firewall-standalone"
    # Tell the viewers what's going to happen.
    echo -e "${BOLDWHITE}Configuring firewall for a ${BOLDGREEN}stand-alone${BOLDWHITE} workstation.${COLOR_RESET}"
    echo -e "Internet interface: ${BOLDGREEN}$INET_IFACE${COLOR_RESET}"
  fi
else
  echo -e "${BOLDRED}Usage:${COLOR_RESET} $0 start|lan|gateway|stop [pppx|ethx|brx|wlanx]"
  exit 1
fi

export MODPROBE IPT LO_IFACE LO_IP INET_IFACE INET_IP LAN_IFACE LAN_IP LAN_NET LAN_BCAST
export IP_FORWARD
export NAT_SERVER
export FTP_SERVER
export DHCP_SERVER
export ALLOW_OUTSIDE_SSH SSH_PORT
export TRANS_PROXY PROXY_PORT
export ALLOW_OUTSIDE_PINGS LOG_OUTSIDE_PINGS
export LOG_ALL_OTHER_TRAFFIC

# GATEWAY might be defined in rc.inet1.conf
# this variable determines which box to use as the LAN gateway to the internet
if [ "$GATEWAY" != "" ] ; then
  export GATEWAY
fi

if [ -x $FWSCRIPT ]; then
  echo -e "Using ${BOLDGREEN}$FWSCRIPT${COLOR_RESET} script."
  $FWSCRIPT
  # start the ulog logging daemon
  # all firewall scripts must be revised to support passing
  # logging info to ulogd
  if [ -x /etc/rc.d/rc.ulogd ] ; then
    /etc/rc.d/rc.ulogd start
  fi
else
  echo -e "${BOLDRED}Error:${COLOR_RESET} Cannot run ${BOLDGREEN}$FWSCRIPT${COLOR_RESET} script."
fi