#!/bin/sh
# shell script to set firewall policy using ipchains and masquarade
#
PATH=/sbin:/bin:/usr/bin:/usr/sbin;

# Assume ipforwarding is enabled
# external interface
extip="my.ext.ip.add";
extif="eth1";

# internal interface
intip="192.168.1.0/24";
intif="eth0";

# all ip addresses
allip="0.0.0.0/0";

# init standard chains
/sbin/ipchains -M -S 7200 10 60
/sbin/ipchains -F input 
/sbin/ipchains -P input REJECT
/sbin/ipchains -F output 
/sbin/ipchains -P output REJECT                                    
/sbin/ipchains -F forward 
/sbin/ipchains -P forward DENY

# Setup input policy
# ACCEPT anything input from local interface.
/sbin/ipchains -A input -i $intif -s $intip -d $allip -j ACCEPT

# REJECT ip spoofing of local network on external interface.
/sbin/ipchains -A input -i $extif -s $intip -d $allip -l -j REJECT

# REJECT ip spoofing of loopback address on external interface.
/sbin/ipchains -A input -i $extif -s 127.0.0.0/8 -d $allip -l -j REJECT

# REJECT doubleclick.net et. al.
/sbin/ipchains -A input -i $extif -s 199.95.206.210 -d $allip -l -j REJECT
/sbin/ipchains -A input -i $extif -s 209.171.54.55  -d $allip -l -j REJECT

# ACCEPT external access on ports via external interface
/sbin/ipchains -A input -p tcp   -i $extif -s $allip -d $extip -j ACCEPT
/sbin/ipchains -A input -p udp   -i $extif -s $allip -d $extip -j ACCEPT
# Comment the next line to NOT ACCEPT ICMP e.g. "ping".
#/sbin/ipchains -A input -p icmp  -i $extif -s $allip -d $extip -j ACCEPT

# loopback setup. ACCEPT any IP valid on loopback(lo) interface.
/sbin/ipchains -A input -i lo -s $allip -d $allip -j ACCEPT

# Setup output policy
# ACCEPT all outgoing traffic via local network interface.
/sbin/ipchains -A output -i $intif -s $allip -d $intip -j ACCEPT

# Prevent traffic from local network from using external interface.
/sbin/ipchains -A output -i $extif -s $allip -d $intip -l -j REJECT
/sbin/ipchains -A output -i $extif -s $intip -d $allip -l -j REJECT

# ACCEPT the rest.
/sbin/ipchains -A output -i $extif -s $extip -d $allip -j ACCEPT

# Loopback interface output is always valid.
/sbin/ipchains -A output -i lo -s $allip -d $allip -j ACCEPT

# Forward packets with MASQAURADE.
/sbin/ipchains -A forward -i $extif -s $intip -d $allip -j MASQ