#!/bin/sh
IPTABLES=/sbin/iptables 
MODPROBE=/sbin/modprobe
localhost="127.0.0.1"       
intranet="192.168.1.0/24"
any="0.0.0.0/0"	
dev_intra="eth0"
dev_inter="ppp0"
#hports="1024:"
KEEPSTATE=" -m state --state ESTABLISHED,RELATED"

raz() {
 $IPTABLES -F 
 $IPTABLES -X
 $IPTABLES -Z
}


case "$1" in
  start)
   echo "IPTables Activé"
   #$MODPROBE iptables || exit 1
   $MODPROBE ipt_state || exit 1
   #$MODPROBE ipt_tcp || exit 1
   #$MODPROBE ipt_udp || exit 1
   $MODPROBE ipt_LOG || exit 1
   #$MODPROBE ipt_defrag || exit 1
   $MODPROBE ip_conntrack || exit 1
   $MODPROBE ip_conntrack_ftp || exit 1
   #$MODPROBE ip_nat || exit 1
   $MODPROBE ip_nat_ftp || exit 1

   echo 1 > /proc/sys/net/ipv4/ip_forward

   if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] 
   then 
    for f in /proc/sys/net/ipv4/conf/*/rp_filter 
    do 
     echo 1 > $f 
    done 
   fi
   
   raz

   $IPTABLES -P INPUT DROP 
   $IPTABLES -P OUTPUT DROP 
   $IPTABLES -P FORWARD DROP

   $IPTABLES -A INPUT -j ACCEPT -p ALL -i lo 
   $IPTABLES -A OUTPUT -j ACCEPT -p ALL -o lo
 
   $IPTABLES -A INPUT -j ACCEPT -p ALL -i $dev_intra 
   $IPTABLES -A OUTPUT -j ACCEPT -p ALL -o $dev_intra

   $IPTABLES -A FORWARD -j ACCEPT -i $dev_intra -o $dev_inter -s $intranet 
   $IPTABLES -A FORWARD -j ACCEPT -o $dev_intra -i $dev_inter -s $any

   $IPTABLES -t nat -A POSTROUTING -o $dev_inter -j MASQUERADE

   $IPTABLES -A OUTPUT -j ACCEPT -o $dev_inter -p TCP $KEEPSTATE 
   $IPTABLES -A INPUT -j ACCEPT -i $dev_inter -p TCP $KEEPSTATE 
   $IPTABLES -A OUTPUT -j ACCEPT -o $dev_inter -p UDP $KEEPSTATE 
   $IPTABLES -A INPUT -j ACCEPT -i $dev_inter -p UDP $KEEPSTATE 
   $IPTABLES -A OUTPUT -j ACCEPT -o $dev_inter -p ICMP $KEEPSTATE 
   $IPTABLES -A INPUT -j ACCEPT -i $dev_inter -p ICMP $KEEPSTATE

   $IPTABLES -A OUTPUT -j ACCEPT -p ALL -o $dev_inter 

   #$IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter --sport $hports --dport 22
   #$IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter --sport $hports --dport 21
   #$IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter --sport $hports --dport 80
   #$IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter --sport $hports --dport 110
   #$IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter --sport $hports --dport 25

   $IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter  --dport 22   
   $IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter  --dport 21
   $IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter  --dport 80
   $IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter  --dport 110
   $IPTABLES -A INPUT -j ACCEPT -p TCP -i $dev_inter  --dport 25
   
   $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 10.0.0.255 
   $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 10.0.0.255 
   $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 10.0.0.255 
   $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 10.0.0.255 
   $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 0.0.0.0 
   $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 0.0.0.0 
   $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 0.0.0.0 
   $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 0.0.0.0 
   $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 255.255.255.255 
   $IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 255.255.255.255 
   $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 255.255.255.255 
   $IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 255.255.255.255

   $IPTABLES -N log_and_drop 
   $IPTABLES -A INPUT -j log_and_drop 
   $IPTABLES -A INPUT -j LOG --log-level emerg --log-prefix='FW ' 
   $IPTABLES -A INPUT -j REJECT
   ;;

  status)
   $IPTABLES -L
   ;;

  stop)
   echo "IPTables désactivé"
   raz
   ;;
  *)
   echo "Usage: adsl {start|stop|status}"
   exit 1
esac
exit 0