#!/bin/bash
iptables=`which iptables`
case $1
in
    start)
        echo "Starte Firewall..."
        /sbin/modprobe ipt_REDIRECT >/dev/null 2>&1
        /sbin/modprobe ip_tables >/dev/null 2>&1
        /sbin/modprobe iptable_filter >/dev/null 2>&1
        /sbin/modprobe ipt_LOG >/dev/null 2>&1
        /sbin/modprobe ipt_REJECT >/dev/null 2>&1
        /sbin/modprobe ipt_limit >/dev/null 2>&1
        /sbin/modprobe ipt_state >/dev/null 2>&1
        /sbin/modprobe ipt_recent >/dev/null 2>&1
        ipt_modules_needed='yes'
        /sbin/iptables -P FORWARD DROP >/dev/null 2>&1          # forward policy is drop
        /sbin/iptables -P INPUT   DROP >/dev/null 2>&1         # REJECT is not possible here :-(
        /sbin/iptables -P OUTPUT  ACCEPT  >/dev/null 2>&1      # output policy is accept
        /sbin/iptables -N fdrop >/dev/null 2>&1
        /sbin/iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
        /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        /sbin/iptables -A INPUT -i lo -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
        /sbin/iptables -A INPUT -p udp -m udp --dport 22 -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
        /sbin/iptables -A INPUT -p udp -m udp --dport 80 -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
        /sbin/iptables -A INPUT -p udp -m udp --dport 443 -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
        /sbin/iptables -A INPUT -p udp -m udp --dport 20 -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
        /sbin/iptables -A INPUT -p udp -m udp --dport 21 -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -m tcp --dport 578 -j ACCEPT
        /sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
        /sbin/iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
        /sbin/iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
        /sbin/iptables -A FORWARD -p tcp -m tcp --dport 137:139 -j fdrop
        /sbin/iptables -A FORWARD -p udp -m udp --dport 137:139 -j fdrop
        /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        /sbin/iptables -A FORWARD -j fdrop
        /sbin/iptables -A fdrop -j DROP
        if [ -f /etc/init.d/brute_force_blocking ]
        then
            /etc/init.d/brute_force_blocking restart
        fi
        if [ -f /root/scripts/badnets ]
        then
            sh /root/scripts/badnets
        fi
    ;;
    stop)
         echo "Stoppe Firewall..."
         $iptables -t nat -F >/dev/null 2>&1
         $iptables -t filter -F >/dev/null 2>&1
         $iptables -X >/dev/null 2>&1
         $iptables -P INPUT ACCEPT >/dev/null 2>&1
         $iptables -P OUTPUT ACCEPT >/dev/null 2>&1
         $iptables -P FORWARD ACCEPT >/dev/null 2>&1
    ;;
    restart)
        $0 stop
        sleep 1
        $0 start
    ;;
    status)
        if iptables -nL fdrop >/dev/null 2>&1
        then
            echo "Firewall is enabled"
        else
            echo "Firewall is disabled"
        fi
    ;;
    *)
        echo "usage: $0 (start | stop | restart | status)"
    ;;

esac