#!/bin/sh
#
# Author: Joerg Schuetter
# joerg.schuetter@gmx.de
#
# /sbin/init.d/firewall
#

. /etc/rc.config.local

# Determine the base and follow a runlevel link name
base=${0##*/}
link=${base#*[SK][0-9][0-9]}

# Force execution of not called by a runlevel directory.
test $link = $base && START_FIREWALL=yes
test "$START_FIREWALL" = yes || exit 0

PATH=$PATH:/usr/local/bin

isp_dev=ippp0
pda_dev=ppp0
pda_net=192.168.2.1/32
local_net=192.168.0.0/24

# The echo return value for succes (defined in /etc/rc.config).
return=$rc_done
case "$1" in
    start)
        echo -n "Starting service firewall"

        # load modules
        modprobe iptable_nat
        modprobe ip_nat_ftp
        modprobe ip_conntrack
        modprobe ip_conntrack_ftp

        # allow from palm (192.168.2.1)
        iptables -A FORWARD -s $pda_net -i $pda_dev -o $isp_dev -j ACCEPT

        # block from local net
        iptables -A FORWARD -s $local_net -o $isp_dev -j REJECT

        # protect from outside
        iptables -N block
        iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A block -m state --state NEW -i ! $isp_dev -j ACCEPT
#        iptables -A block -i $isp_dev -j LOG -m limit --log-prefix "Bad packet from ippp0 "
        iptables -A block -i $isp_dev -j LOG --log-level notice --log-prefix "Bad packet from ippp0 "
#        iptables -A block -i ! $isp_dev -j LOG -m limit --log-prefix "Bad packet not from ippp0 "
        iptables -A block -i ! $isp_dev -j LOG --log-level notice --log-prefix "Bad packet not from ippp0 "
        iptables -A block -j DROP
        iptables -A INPUT -j block
        iptables -A FORWARD -j block

        # masq everything leaving through ippp0
        iptables -t nat -A POSTROUTING -o $isp_dev -j MASQUERADE

        echo -e "$return"
        ;;
    stop)
        echo -n "Shutting down service firewall"

        # masq everything leaving through ippp0
        iptables -t nat -D POSTROUTING -o $isp_dev -j MASQUERADE

        # protect from outside
        iptables -D FORWARD -j block
        iptables -D INPUT -j block
        iptables -D block -j DROP
#        iptables -D block -i ! $isp_dev -j LOG -m limit --log-prefix "Bad packet not from ippp0 "
        iptables -D block -i ! $isp_dev -j LOG --log-level notice --log-prefix "Bad packet not from ippp0 "
#        iptables -D block -i $isp_dev -j LOG -m limit --log-prefix "Bad packet from ippp0 "
        iptables -D block -i $isp_dev -j LOG --log-level notice --log-prefix "Bad packet from ippp0 "
        iptables -D block -m state --state NEW -i ! $isp_dev -j ACCEPT
        iptables -D block -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -X block

        # block from local net
        iptables -D FORWARD -s $local_net -o $isp_dev -j REJECT

        # allow from palm (192.168.2.1)
        iptables -D FORWARD -s $pda_net -i $pda_dev -o $isp_dev -j ACCEPT

        # load modules
        rmmod iptable_nat
        rmmod ip_nat_ftp
        rmmod ip_conntrack
        rmmod ip_conntrack_ftp

        echo -e "$return"
        ;;
    restart)
        $0 stop && $0 start || return=$rc_failed
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
        ;;
esac

# Inform the caller not only verbosely and set an exit status
test "$return" = "$rc_done" || exit 1
exit 0