#! /bin/sh
#
# Author: Bernd Burre
#
# init.d/maske
#
#   and its symbolic link
#
# /sbin/rcmaske
#
# System startup script for Masquerading
#
### BEGIN INIT INFO
# Provides: maske
# Required-Start: $network
# Required-Stop:  
# Default-Start:  2 3 4 5
# Default-Stop:   
# Description:    Start simple Firewall- Skript
### END INIT INFO


IPTABLES=/usr/sbin/iptables
MODPROBE=/sbin/modprobe

test -x $IPTABLES || exit 5
test -x $MODPROBE || exit 5

. /etc/rc.status

rc_reset

# Anpassung an das Interface (hier DSL oder Modem)
fw_dev="ppp0"

case "$1" in
    start)
	echo -n "Starting Maske Firewall Skript"
	$MODPROBE iptable_nat 
	$MODPROBE ip_nat_ftp
	$MODPROBE ip_conntrack
	$MODPROBE ip_conntrack_ftp
	$IPTABLES -F

	$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

        $IPTABLES -A INPUT -i $fw_dev -p icmp --icmp-type echo-request -m limit --limit 1/sec -j ACCEPT
        $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 22 -m limit --limit 1/sec -m state --state NEW -j ACCEPT
        $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 21 -m limit --limit 1/sec -m state --state NEW -j ACCEPT
	$IPTABLES -A INPUT -i $fw_dev -p tcp --dport 25 -j ACCEPT
        $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 80 -j ACCEPT
	$IPTABLES -A INPUT -i $fw_dev -p icmp --icmp-type destination-unreachable -j ACCEPT
	$IPTABLES -A OUTPUT -o $fw_dev -p tcp --dport 137:139 -j DROP
	$IPTABLES -A OUTPUT -o $fw_dev -p udp --dport 137:139 -j DROP
	$IPTABLES -A FORWARD -o $fw_dev -p tcp --dport 137:139 -j DROP
	$IPTABLES -A FORWARD -o $fw_dev -p udp --dport 137:139 -j DROP
	$IPTABLES -N block
	$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPTABLES -A block -m state --state NEW -i ! $fw_dev -j ACCEPT
	$IPTABLES -A block -j DROP
	$IPTABLES -A INPUT -j block
	$IPTABLES -A FORWARD -j block
	#
	$IPTABLES -t nat -A POSTROUTING -o $fw_dev -j MASQUERADE
	# Remember status and be verbose
	rc_status -v
	;;
    stop)
	echo -n "Shutting down Maske Skript"
	$IPTABLES -F
	$IPTABLES -t nat -F
        $IPTABLES -X
		
	# Remember status and be verbose
	rc_status -v
	;;
    try-restart)
	## Stop the service and if this succeeds (i.e. the 
	## service was running before), start it again.
	## Note: try-restart is not (yet) part of LSB (as of 0.7.5)
	$0 status >/dev/null &&  $0 restart

	# Remember status and be quiet
	rc_status
	;;
    restart)
	## Stop the service and regardless of whether it was
	## running or not, start it again.
	$0 stop
	$0 start

	# Remember status and be quiet
	rc_status
	;;
    force-reload)
	## Signal the daemon to reload its config. Most daemons
	## do this on signal 1 (SIGHUP).
	## If it does not support it, restart.

	echo -n "Reload service MASKE"
	## if it supports it:
	# killproc -HUP $FOO_BIN
	# touch /var/run/FOO.pid
	# rc_status -v

	## Otherwise:
	$0 stop  &&  $0 start
	rc_status
	;;
    reload)
	## Like force-reload, but if daemon does not support
	## signalling, do nothing (!)

	# If it supports signalling:
	# echo -n "Reload service FOO"
	# killproc -HUP $FOO_BIN
	#touch /var/run/FOO.pid
	# rc_status -v
	
	## Otherwise if it does not support reload:
	rc_failed 3
	rc_status -v
	;;
    status)
	echo  "Maske Rules: "
	$IPTABLES -v -L
	$IPTABLES -v -t nat -L
	echo  -n "Status of MASKE Skript"

	rc_status -v
	;;
    probe)
	## Optional: Probe for the necessity of a reload,
	## give out the argument which is required for a reload.

	# test /etc/FOO/FOO.conf -nt /var/run/FOO.pid && echo reload
	;;
    *)
	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
	exit 1
	;;
esac
rc_exit