#!/bin/bash
#Copyright (c) 1998, William Stearns <wstearns@pobox.com>
#
#This file is intended to be a shell around the rules Mason creates.  Once 
#you've created a basic set of rules and checked any necessary 
#customizations in this file, this could be called in your startup 
#scripts.
#The top section is used on an ipchains kernel, the bottom section on an 
#ipfwadm kernel.  Make sure you customize both sections.
#
#For more information about Mason and the latest version, see
#http://www.pobox.com/~wstearns/mason/

if [ ! -d /proc/1 ]; then
	echo WARNING! Proc filesystem not supported or not mounted.  Please fix and 
	echo restart.
	exit
fi

cat fwrules | sort -t '#' +1 | uniq >fwrules.sorted
rm -f fwrules
mv -f fwrules.sorted fwrules

if [ -f /proc/net/ip_fwchains ]; then
    echo Creating ipchains firewall.
	NOLOGSUFFIX="N"	#If you change this, change this in Mason too.


#Flush the existing rules so we start with a clean slate.
	echo -n Flushing...
    /sbin/ipchains -F input 
    /sbin/ipchains -F output
	/sbin/ipchains -F forward
	if [ "`cat /proc/sys/net/ipv4/ip_forward`" = "0" ]; then
		/sbin/ipchains -A forward -j DENY
	fi

#Put any fixed rules you wish here.  Example:
	echo -n Fixed rules...
	export ppp0ADDR="`ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR}   22 -j DENY -o		#Ssh
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR}   23 -j DENY -o		#Telnet
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR}   25 -j DENY -o		#Sendmail
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR}   98 -j DENY -o		#Linuxconf
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR}  111 -j DENY -o		#Portmapper
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR}  113 -j ACCEPT -o	#Auth
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR}  139 -j DENY -o		#Netbios
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR}  771 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR} 1026 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR} 1862 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR} 3117 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR} 3128 -j DENY -o		#Squid
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR} 6000 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR} 7100 -j DENY -o		#xfs
	/sbin/ipchains -A input   -i ppp0 -p tcp -d ${ppp0ADDR} 33333 -j DENY -o

	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR}  111 -j DENY -o		#Portmapper
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR}  137 -j DENY -o		#Netbios-ns
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR}  138 -j DENY -o		#Netbios-dgm
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR}  177 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR}  514 -j DENY -o		#Syslog
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR}  772 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR}  800 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR} 1022 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR} 1023 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR} 1024 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR} 3130 -j DENY -o		#ICP
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR} 3775 -j DENY -o
	/sbin/ipchains -A input   -i ppp0 -p udp -d ${ppp0ADDR} 22555 -j DENY -o	#IPhonedata relay

	/sbin/ipchains -A forward -s 172.16.0.0/24 -j MASQ


#Call the new rules 
    if [ -f fwrules ]; then
		echo -n New rules...
		. ./fwrules
    else
		echo
		echo Unable to locate the \"fwrules\" rule file.  Is it in a directory
		echo other than ${PWD} ?
    fi

	#ALLCHAINS=`ipchains -L -n | grep '^Chain' | awk '{print $2}'`
	ALLCHAINS="input output forward"

#Finally, create a "nolog' chain for each of the existing chains, have each existing 
#chain jump to it, then log everything else.
	echo -n Adding logging rules...
	for ACHAIN in ${ALLCHAINS} ; do
	    if ! /sbin/ipchains -L ${ACHAIN}${NOLOGSUFFIX} >/dev/null 2>/dev/null ; then	#If nolog chain does not exist
			/sbin/ipchains -N ${ACHAIN}${NOLOGSUFFIX}					#Create it
    	fi
		/sbin/ipchains -F ${ACHAIN}${NOLOGSUFFIX}						#Flush it as it might have existed before.
		/sbin/ipchains -A ${ACHAIN} -j ${ACHAIN}${NOLOGSUFFIX}
	    /sbin/ipchains -A ${ACHAIN} -l
	done
	echo
elif [ -f /proc/net/ip_input ]; then
    echo Creating ipfwadm firewall
    echo WARNING! This section has not been implemented.  See 
    echo http://www.pobox.com/~wstearns/mason to see if a new version is available.
else
	if [ -d /proc/1 ]; then
		echo This kernel has a proc filesystem, but does not support ipchains 
		echo or ipfwadm firewalling.  Please recompile the kernel with firewalling
		echo and firewall packet logging.
	else
		echo Either this kernel does not support the proc filesystem at all, or the
		echo proc filesystem is not mounted.  Please fix by recompiling the kernel or 
		echo mounting the proc filesystem, respectively, and rerun ${0}.
    fi
fi

#Leave this uncommented if you immediately want to start processing rules.  Comment it out 
#for a finished firewall.
#FIXME find mason rather than hardcode
tail -f --lines=0 /var/log/messages | DYNIF="ppp0" ./mason | tee -a ./fwrules