#!/bin/sh
#
#
# Firewall between internal (wireless) ath0 and external world ( eth0 ) 
# ---------------------------------------------------------------------
#
# Latest Version
# --------------
#	http://www.Linux-Sec.net/Firewalls/scripts/rc.iptable.gw.firewall
#
#
# 26-Apr-04 amo Simple 2-nic firewall ( eth0 and wireless ath0 )
#
#
#
# Keep going even if the command failed
EXITONERR=0
#
#
# Process the command
#
function docmd
{
  cmd=$1
  #
  echo "$cmd"
  $cmd
  #
  if [ $? != 0 ]; then
    echo "# "
    echo "# ERROR: Command Failed: $cmd "
    echo "# "
    #
    if [ $EXITONERR = 1 ];
    then
      exit 1
    else
      echo "# ..keep going anyway"
    fi
  fi
  #
} # docmd
#
#
  #
  echo "#"
  echo "# First Turn off packet forwarding"
  echo "#"
  #
  echo "  echo 0 >  /proc/sys/net/ipv4/ip_forward"
          echo 0 >  /proc/sys/net/ipv4/ip_forward
  echo ""
  #
  #
  #  http://www.e-infomax.com/ipmasq/
  #
  echo "# Install a minimal firewall/gateway"
  #cho "  # rc.firewall-2.2 ( ipchains ) "
  echo "  # rc.firewall-2.4 ( iptables ) "
  echo ""
  #
  #
  # ---------------------------------------------------
  # 3-line ipchains firewall
  # ------------------------
  #     ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASK"
  #     ## hains -A forward -i ppp0 -j MASQ 
  #     ipchains -P forward DENY"
  #     echo 1 > /proc/sys/net/ipv4/ip_forward
  #
  # ---------------------------------------------------
  # 4-line iptable firewall
  # -----------------------
  #     iptables -F
  #     iptables -t nat -F
  #     iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  #     echo 1 > /proc/sys/net/ipv4/ip_forward
  #
  #
  IPTABLES="iptables"
  #
  # network to the outside
  EXTIF="eth0"
  #
  # internal ( wireless ) network
  INTIF="ath0"
  #
  echo "#"
  echo "# 7-commands to Clear the IPTables first"
  echo "#"
  # iptables -F
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -F INPUT
  $IPTABLES -P OUTPUT ACCEPT
  $IPTABLES -F OUTPUT
  $IPTABLES -P FORWARD DROP
  $IPTABLES -F FORWARD
  $IPTABLES -t nat -F
  echo ""
  #
  #
  #
  # ToDo:
  #     Change to allow only specific 192.168.x.y ip# only
  #
  echo "# FWD: Allow all connections OUT and only existing and related ones IN"
  docmd "  $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT"
  docmd "  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT"
  docmd "  $IPTABLES -A FORWARD -j LOG"
  echo ""
  #
  echo "# Enabling SNAT (MASQUERADE) functionality on $EXTIF"
  #ocmd "  $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE"
  #             iptables: No chain/target/match by that name
  #
  # this works for the wireless box to get outside
  docmd "  $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $OUTSIDE"
  #
  #
  # try to allow only 192.168.1.12  connectivity in or out
  # -------------------------------------------------------
  #ocmd "  $IPTABLES -t nat -A POSTROUTING -s 192.168.1.12 -o $EXTIF -j SNAT --to $OUTSIDE"
  echo ""
  #
  echo "# Check the rules:"
  docmd "  $IPTABLES -L"
  echo ""
  #
  echo "#"
  echo "# Now Turn on packet forwarding"
  echo "#"
  echo "  echo 1 >  /proc/sys/net/ipv4/ip_forward"
          echo 1 >  /proc/sys/net/ipv4/ip_forward
  echo ""
  #
#
# End of file