#!/bin/tcsh
# Firewall-Skript für  surfer
# ----------------------------------------------------------
# PART I: Variablen 
 
set IPTABLES = /usr/sbin/iptables

# ----------------------------------------------------------
# special ports

set p_high   = 1024:65535   # unprivileged ports
set p_ssh    = 500:1023     # common ssh source ports

# ----------------------------------------------------------
# interfaces

set IF       = ippp0

# ----------------------------------------------------------
# ip hosts

# Beispiel, hier die vom Provider genannten Nameserver eintragen.
set NS       = ( 193.101.111.20 212.185.248.84 194.25.2.129 )

# Beispiel, hier den vom Provider genannten Mailserver eintragen.
set mail     = 192.0.84.3

# ----------------------------------------------------------
# PART II: Grundkonfiguration: absichern
# ----------------------------------------------------------
# dynamische Kernelparameter setzen

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/tcp_syncookies 
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate 

echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians

# ----------------------------------------------------------
# Default Policy und flush

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -F  # flush aller chains
$IPTABLES -X  # delete all userdefined chains

# ----------------------------------------------------------
# lokale Prozesse

$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT  -i lo -j ACCEPT

# ----------------------------------------------------------
# PART III: endgültige Filterregeln
# ----------------------------------------------------------

# ----------------------------------------------------------
# DROP & LOG Chain

$IPTABLES -N my_drop
$IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
$IPTABLES -A my_drop -p UDP  -j LOG --log-prefix "DROP-UDP "
$IPTABLES -A my_drop -p TCP  -j LOG --log-prefix "DROP-TCP "
$IPTABLES -A my_drop -j DROP

# ----------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung

$IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ----------------------------------------------------------
# ident: reject

$IPTABLES -A INPUT -p TCP --dport auth --syn -j REJECT

# ----------------------------------------------------------
# DROP alle weiteren, eingehenden Verbindungsaufbauten

$IPTABLES -A INPUT  -m state --state NEW,INVALID -j my_drop

# ----------------------------------------------------------
# ICMP

# ping: 8 und 0, ausgehend

$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT  -p ICMP --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT  -p ICMP --icmp-type echo-request -j my_drop

# source quench (4)

$IPTABLES -A OUTPUT -p ICMP --icmp-type source-quench -j ACCEPT
$IPTABLES -A INPUT  -p ICMP --icmp-type source-quench -j my_drop

# time exceeded (11)

$IPTABLES -A OUTPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT  -p ICMP --icmp-type time-exceeded -j ACCEPT

# parameter problem (12)

$IPTABLES -A OUTPUT -p ICMP --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A INPUT  -p ICMP --icmp-type parameter-problem -j ACCEPT

# destination unreachable (3)

$IPTABLES -A OUTPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP --icmp-type port-unreachable -j ACCEPT

$IPTABLES -A INPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A INPUT -p ICMP --icmp-type destination-unreachable -j ACCEPT

# ----------------------------------------------------------
# DNS

foreach ns ( $NS )
  $IPTABLES -A OUTPUT -p UDP --sport $p_high -d $ns --dport domain \
                      -m state --state NEW -j ACCEPT
  $IPTABLES -A OUTPUT -p TCP --sport $p_high -d $ns --dport domain \
                      -m state --state NEW -j ACCEPT
end

# ----------------------------------------------------------
# SMTP, POP3

$IPTABLES -A OUTPUT -p TCP --sport $p_high -d $mail --dport smtp \
                    -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p TCP --sport $p_high -d $mail --dport pop3 \
                    -m state --state NEW -j ACCEPT

# ----------------------------------------------------------
# HTTP

$IPTABLES -A OUTPUT -p TCP --sport $p_high --dport http \
                    -m state --state NEW -j ACCEPT

# ----------------------------------------------------------
# HTTP via SSL

$IPTABLES -A OUTPUT -p TCP --sport $p_high --dport https \
                    -m state --state NEW -j ACCEPT

# ----------------------------------------------------------
# ftp, out, control connection

$IPTABLES -A OUTPUT -p TCP --sport $p_high --dport ftp \
                    -m state --state NEW -j ACCEPT

# ----------------------------------------------------------
# Ausputzer: Rest sperren, loggen 

$IPTABLES -A INPUT   -j my_drop
$IPTABLES -A FORWARD -j my_drop
$IPTABLES -A OUTPUT  -j REJECT