#!/bin/sh

SSHport=30
LanPrefix=192.168.17

LANif=eth0
WANif=eth1

modprobe ip_tables
modprobe iptable_filter
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
#modprobe ipt_LOG
#modprobe ipt_REJECT
modprobe xt_TCPMSS
modprobe ipt_recent

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts    # Enable broadcast echo Protection
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route   # Disable Source Routed Packets
#not installed yet!  echo 1 > /proc/sys/net/ipv4/tcp_syncookies   # Enable TCP SYN Cookie Protection
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects      # Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects        # Don't send Redirect Messages
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter             # Drop Spoofed Packets coming in on an
                                                           # interface where responses would result
                                                           # in the reply going out a different IF
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians          # Log packets with impossible addresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr                     # Be verbose on dynamic ip-addresses
                                                           # not needed with static ip
echo 0 > /proc/sys/net/ipv4/tcp_ecn                        # Disable Explicit Congestion Notification
                                                           # Too many routers are still ignorant
# Clear everything
iptables -F   # flush (delete all rules)
iptables -X   # delete user-defined chains
iptables -Z   # reset packet and byte counters in all chains to zero
iptables -t nat -F   # delete and zero above doesn't apply to nat

# Set initial state
iptables -P INPUT   DROP
iptables -P FORWARD DROP   # default = drop every packet
iptables -P OUTPUT  DROP

# Port forwards to LAN
iptables -t nat -A PREROUTING -p tcp --dport 5800 -j DNAT --to $LanPrefix.1:5800   # VNC-http
iptables -A FORWARD -p tcp --dport 5800 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 5900 -j DNAT --to $LanPrefix.1:5900   # VNC
iptables -A FORWARD -p tcp --dport 5900 -j ACCEPT

#RunUOPort=2593
#RunUOServer=$LanPrefix.4:$RunUOPort
#iptables -t nat -A PREROUTING -p tcp --dport $RunUOPort -j DNAT --to $RunUOServer   # RunUO
#iptables -A FORWARD -p tcp --dport $RunUOPort -j ACCEPT

iptables -i $WANif -t nat -A PREROUTING -p tcp --dport 2593 -j DNAT --to 192.168.17.4:2593   # RunUO
iptables -i $WANif -A FORWARD -p tcp --dport 2593 -j ACCEPT

iptables -i $WANif -t nat -A PREROUTING -p tcp --dport 1024 -j DNAT --to 192.168.17.1:1024   # BattleShips
iptables -i $WANif -A FORWARD -p tcp --dport 1024 -j ACCEPT


#XpVpnServer=$LanPrefix.5

#iptables -t nat -A PREROUTING -d 8...7 -p GRE -j DNAT --to $LanPrefix.6
#iptables -t nat -A PREROUTING -p gre -j DNAT --to $XpVpnServer
#iptables -A FORWARD -p gre -j ACCEPT


ip=$LanPrefix.1
iptables -t nat -A PREROUTING -p tcp --dport 8880 -j DNAT --to $ip:80
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT


#iptables -t nat -A PREROUTING -p tcp --dport 1723 -j DNAT --to $XpVpnServer:1723   # VPN
#iptables -A FORWARD -p tcp --dport 1723 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 1723 -j DNAT --to $XpVpnServer:1723   # VPN
#iptables -A FORWARD -p udp --dport 1723 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp --dport 47 -j DNAT --to $XpVpnServer:47     # VPN
#iptables -A FORWARD -p tcp --dport 47 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 47 -j DNAT --to $XpVpnServer:47     # VPN
#iptables -A FORWARD -p udp --dport 47 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp --dport 50 -j DNAT --to $XpVpnServer:50     # VPN
#iptables -A FORWARD -p tcp --dport 50 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 50 -j DNAT --to $XpVpnServer:50     # VPN
#iptables -A FORWARD -p udp --dport 50 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp --dport 500 -j DNAT --to $XpVpnServer:500     # VPN
#iptables -A FORWARD -p tcp --dport 500 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 500 -j DNAT --to $XpVpnServer:500     # VPN
#iptables -A FORWARD -p udp --dport 500 -j ACCEPT


#iptables -t nat -A PREROUTING -p tcp --dport 4967 -j DNAT --to $LanPrefix.6:4967   # SoulSeek
#iptables -A FORWARD -p tcp --dport 4967 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 51413 -j DNAT --to $LanPrefix.1:51413   # Transmission Torrent
iptables -A FORWARD -p tcp --dport 51413 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp --dport 21836 -j DNAT --to $LanPrefix.5:21836   # edonkey
#iptables -A FORWARD -p tcp --dport 21836 -j ACCEPT

#iptables -t nat -A PREROUTING -p udp --dport 35999 -j DNAT --to $LanPrefix.5:35999   # edonkey
#iptables -A FORWARD -p udp --dport 35999 -j ACCEPT


port=40826
iptables -t nat -A PREROUTING -p tcp --dport $port -j DNAT --to $LanPrefix.1:$port   # uTorrent
iptables -A FORWARD -p tcp --dport $port -j ACCEPT


#iptables -t nat -A PREROUTING -p tcp --dport 2350 -j DNAT --to 192.168.0.6:2350   # TrackMania Server
#iptables -A FORWARD -p tcp --dport 2350 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp --dport 3450 -j DNAT --to 192.168.0.6:3450
#iptables -A FORWARD -p tcp --dport 3450 -j ACCEPT

#iptables -t nat -A PREROUTING -p udp --dport 2350 -j DNAT --to 192.168.0.6:2350   # TrackMania Server
#iptables -A FORWARD -p udp --dport 2350 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 3450 -j DNAT --to 192.168.0.6:3450
#iptables -A FORWARD -p udp --dport 3450 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 4534 -j DNAT --to 192.168.0.1:4534   # Armagetron
iptables -A FORWARD -p udp --dport 4534 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.0.6:3389   # RDP
#iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT

iptables -A INPUT  -i lo -j ACCEPT     # Allow any from/to local host
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT  -i $LANif -j ACCEPT   # Allow any from/to LAN
iptables -A OUTPUT -o $LANif -j ACCEPT

iptables -A OUTPUT -o $WANif -j ACCEPT                                       # Allow all outgoing to WAN
iptables -A INPUT -i $WANif -m state --state ESTABLISHED,RELATED -j ACCEPT   # Allow incoming from WAN, if already established

# gegen SSH Brute-Force
iptables -A INPUT -i $WANif -p tcp --dport $SSHport -m state --state NEW -m recent --set --name SSH
## Eintrag im syslog  iptables -A INPUT -i ppp+ -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -i $WANif -p tcp --dport $SSHport -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
iptables -A INPUT -i $WANif -p tcp --dport $SSHport -j ACCEPT                      # Open SSH to WAN


iptables -A INPUT -i $WANif -p tcp --dport 80 -j ACCEPT                      # Open HTTP to WAN

iptables -A INPUT -i $WANif -p icmp -j ACCEPT

iptables -A FORWARD -i ! $WANif -m state --state NEW -j ACCEPT               # Forward initializations not from WAN
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT         # Forward all already established connections

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu   # Adjust MTU for PPPoE


iptables -t nat -A POSTROUTING -o $WANif -j MASQUERADE   # guess what


# Log everything for debugging (last of all rules, but before policy rules)
#iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
#iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
#iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

echo 1 > /proc/sys/net/ipv4/ip_forward   # Finally, enable IP Forwarding