#!/bin/sh
#
# rc.firewall-2.2
#
#     - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels 
#       using IPCHAINS.
#
#       Once IP Masquerading has been tested, with this simple 
#       ruleset, it is highly recommended to use a stronger 
#       IPTABLES ruleset either given later in this HOWTO or 
#       from another reputable resource.

FWVER="1.22"
#
# 1.22 - ruleset now uses modprobe instead of insmod
# 1.21 - Added clarification that PPPoE users need to use
#        "ppp0" instead of "eth0" for their external interface
# 1.20 - Updated the script to use environment vars
# 1.01 - Original version


echo -e "\n\nLoading simple rc.firewall-2.2 : version $FWVER..\n"


# The location of the ipchains and kernel module programs
#
#   If your Linux distribution came with a copy of ipchains, 
#   most likely all the programs will be located in /sbin.  If 
#   you manually compiled ipchains, the default location will
#   be in /usr/local/sbin
#
# ** Please use the "whereis ipchains" command to figure out 
# ** where your copy is and change the path below to reflect 
# ** your setup
#
IPCHAINS=/sbin/ipchains
#IPTABLES=/usr/local/sbin/ipchains
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the NATing will occur and the internal network
#  should preferably be addressed with a RFC1918 private addressing
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0" 
#
#  ** Please change this to reflect your specific configuration **
#
EXTIF="eth0"
INTIF="eth1"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"


# Network Address of the Internal Network
#
#   This example rc.firewall file uses the 192.168.0.0 network
#   with a /24 or 255.255.255.0 netmask.
#
#    ** Change this variable to reflect your specific setup **
#
INTLAN="192.168.0.0/24"
echo -e "   Internal Interface:  $INTLAN\n"



# Load all required IP MASQ modules
#
#   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ modules
#          are shown below but are commented out from loading.
echo "   loading required IPMASQ kernel modules.."

# Needed to initially load modules
#
$DEPMOD -a

echo -en "   Loading modules: "

# Supports the proper masquerading of FTP file transfers using the PORT method
#
echo -en "FTP, "
$MODPROBE ip_masq_ftp

# Supports the masquerading of RealAudio over UDP.  Without this module,
#       RealAudio WILL function but in TCP mode.  This can cause a reduction
#       in sound quality
#
#echo -en "RealAudio, "
$MODPROBE ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
#echo -en "Irc, "
#$MODPROBE ip_masq_irc


# Supports the masquerading of Quake and QuakeWorld by default.  This modules is
#   for for multiple users behind the Linux MASQ server.  If you are going to 
#   play Quake I, II, and III, use the second example.
#
#   NOTE:  If you get ERRORs loading the QUAKE module, you are running an old
#   -----  kernel that has bugs in it.  Please upgrade to the newest kernel.
#
#echo -en "Quake, "
#Quake I / QuakeWorld (ports 26000 and 27000)
#$MODPROBE ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#$MODPROBE ip_masq_quake 26000,27000,27910,27960


# Supports the masquerading of the CuSeeme video conferencing software
#
#echo -en "CuSeeme, "
#$MODPROBE ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#
#echo -en "VdoLive "
#$MODPROBE ip_masq_vdolive

echo ".  Done loading modules."


#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in 
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


#CRITICAL:  Enable automatic IP defragmenting since it is disabled by default 
#           in 2.2.x kernels.  This used to be a compile-time option but the 
#           behavior was changed in 2.2.12
#
echo "   enabling AlwaysDefrag.."
echo "1" > /proc/sys/net/ipv4/ip_always_defrag


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this 
#   following option.  This enables dynamic-ip address hacking in IP MASQ, 
#   making the life with Diald and similar programs much easier.
#
#echo "   enabling DynamicAddr.."
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable the LooseUDP patch which some Internet-based games require
#
#  If you are trying to get an Internet game to work through your IP MASQ box,
#  and you have set it up to the best of your ability without it working, try
#  enabling this option (delete the "#" character).  This option is disabled
#  by default due to possible internal machine UDP port scanning 
#  vulnerabilities.
#
#echo "   enabling LooseUDP.."
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose


#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is REJECT
#
echo "   clearing any existing rules and setting default policy.."
$IPCHAINS -P input ACCEPT
$IPCHAINS -P output ACCEPT
$IPCHAINS -P forward REJECT
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward


# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) 
#
echo "   setting default timers.."
$IPCHAINS -M -S 7200 10 160


# DHCP:  For people who receive their external IP address from either DHCP or 
#        BOOTP such as ADSL or Cablemodem users, it is necessary to use the 
#        following before the deny command.  
#
#        This example is currently commented out.
#
#
#$IPCHAINS -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp

# Enable simple IP forwarding and Masquerading
#
#  NOTE:  The following is an example for an internal LAN address in the 
#         192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
#         connecting to the Internet on interface eth0.
#
#         ** Please change this network number, subnet mask, and your Internet
#         ** connection interface name to match your internal LAN setup
#
echo "   enabling IPMASQ functionality on $EXTIF"
$IPCHAINS -P forward DENY
$IPCHAINS -A forward -i $EXTIF -s $INTLAN -j MASQ



echo -e "\nDone.\n"