#!/bin/sh

IPT="/sbin/iptables"
MODPROBE="/sbin/modprobe"

# Make sure the modules we need are loaded:
$MODPROBE ip_tables
$MODPROBE ipt_state
$MODPROBE iptable_filter
$MODPROBE iptable_nat

# Flush current chains, delete nonstandard chains, zero counters:
$IPT -F
$IPT -X
$IPT -Z
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t mangle -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z

# Default policies:
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# These are needed for NAT to work:
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


# Create a new chain called 'blockincoming' to control incoming connections:
$IPT -N blockincoming
# Allow TCP connections out but not in (except SSH).
# Allow established connections:
$IPT -A blockincoming -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH connections to the client:
$IPT -A blockincoming -m state --state NEW -p tcp --dport 22 -j ACCEPT

$IPT -A INPUT -i eth0 -j blockincoming


# Allow local traffic:
$IPT -A INPUT -i lo -j ACCEPT


# Create a new chain called 'blockoutgoing' to allow some outgoing connections:
$IPT -N blockoutgoing
# Allow local Squid to talk to remote Squid:
#   Squid http_port
#   The connect and disconnect scripts assume this is rule number 1.
$IPT -A blockoutgoing -p tcp --dport 3128 -j ACCEPT
#   Squid icp_port
#   The connect and disconnect scripts assume this is rule number 2.
$IPT -A blockoutgoing -p tcp --dport 3130 -j ACCEPT
# Allow traffic from the client's SSH server:
$IPT -A blockoutgoing -p tcp --sport 22 -j ACCEPT
# Uncomment next rule to connect to other clients (test-only)
#$IPT -A blockoutgoing -p tcp --dport 22 -j ACCEPT
# Allow DNS lookups:
$IPT -A blockoutgoing -p udp --dport 53 -j ACCEPT
# Allow DHCP:
# (dhclient seems to work without this)
$IPT -A blockoutgoing -p udp --dport 67 -j ACCEPT
# Allow route:
$IPT -A blockoutgoing -p udp --dport 520 -j ACCEPT
# Allow UUCP:
$IPT -A blockoutgoing -p tcp --dport 540 -j ACCEPT
# Uncomment next rule to access GCM's apt-proxy
#$IPT -A blockoutgoing -p tcp -d 192.168.69.50 --dport 9999 -j ACCEPT
# Fail in a friendly manner by default:
$IPT -A blockoutgoing -j REJECT

# Enable access to RBGAN's modem web interface:
$IPT -A OUTPUT -o eth0 -d 192.168.128.100 -j ACCEPT
# Enable ping, since it's needed during debugging and setup:
$IPT -A OUTPUT -o eth0 -p icmp -j ACCEPT

$IPT -A OUTPUT -o eth0 -j blockoutgoing


# Allow local traffic:
$IPT -A OUTPUT -o lo -j ACCEPT

# enable access to RBGAN's modem web interface
$IPT -t nat -A OUTPUT -o eth0 -d 192.168.128.100 -j ACCEPT
# Implement transparent web proxying. Redirect nonlocal web access to the local Squid:
$IPT -t nat -A OUTPUT -o eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Comment next rule to enable GCM'own apt repository (test-only)
$IPT -t nat -A OUTPUT -o eth0 -p tcp --dport 8080 -j REDIRECT --to-port 3128