#!/bin/sh

$Id: blastfw.ini,v 1.2 2005/02/05 15:39:19 thomasez Exp $

. /etc/functions.inc
. /etc/config

hostname ${HOSTNAME}

echo "0" > /proc/sys/net/ipv4/ip_forward

( ifconfig eth0 > /dev/null 2> /dev/null) || {
	echo 
	echo "WARNING"
	echo "Could not find two ethernet devices"
	echo 
	exit;
}

( ifconfig eth1 > /dev/null 2> /dev/null) || {
	echo 
	echo "WARNING"
	echo "Could not find two ethernet devices"
	echo 
	exit;
}

#
# Adding the modules here:
#
modprobe bridge >> $DEBUG_LOG 2>&1
modprobe ebtables >> $DEBUG_LOG 2>&1
modprobe ebtable_broute >> $DEBUG_LOG 2>&1
modprobe ebtable_filter >> $DEBUG_LOG 2>&1
modprobe ebtable_nat >> $DEBUG_LOG 2>&1
modprobe ebt_802_3 >> $DEBUG_LOG 2>&1
modprobe ebt_arp >> $DEBUG_LOG 2>&1
modprobe ebt_ip >> $DEBUG_LOG 2>&1
modprobe ebt_log >> $DEBUG_LOG 2>&1
modprobe ebt_mark >> $DEBUG_LOG 2>&1
modprobe ebt_mark_m >> $DEBUG_LOG 2>&1
modprobe ebt_pkttype >> $DEBUG_LOG 2>&1


brctl addbr br0             # create bridge interface
# brctl stp br0 off           # disable spanning tree protocol on br0
brctl addif br0 eth0        # add eth0 to br0
brctl addif br0 eth1        # add eth0 to br0

ifconfig $OUTSIDE_DEV up
ifconfig $INSIDE_DEV up
ifconfig br0 up

###############################################################
# Set default policy
# This is quite the opposite of all advices regarding building of firewalls.
# They say "Start with denying everythig and then open up", but that is not
# what we will use tis for, we just want to stop the known bad ports.
#
ebtables -P INPUT ACCEPT
ebtables -P OUTPUT ACCEPT
ebtables -P FORWARD ACCEPT
# clear existing tables
ebtables -F
ebtables -t nat -F
ebtables -t broute -F

#
# Firewall rules:
#

#
# Flushing the chains.
#

iptables -F
for i in `cat /proc/net/ip_tables_names`; do iptables -F -t $i ; done
iptables -X
iptables -Z   # zero all counters

#
# Policy for chains ACCEPT everything
#
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#
# The meat of it all, stopping stuff:
#
# NetBIOS/Samba/CIFS
iptables -A FORWARD -p TCP --dport 135:139 -j DROP
iptables -A FORWARD -p UDP --dport 135:139 -j DROP

# (Sun)RPC
iptables -A FORWARD -p TCP --dport 111 -j DROP
iptables -A FORWARD -p UDP --dport 111 -j DROP

# rpc2portmap
iptables -A FORWARD -p TCP --dport 369 -j DROP
iptables -A FORWARD -p UDP --dport 369 -j DROP

# nmbd: (And stopping Sasser.B)
iptables -A FORWARD -p TCP --dport 445 -j DROP
iptables -A FORWARD -p UDP --dport 445 -j DROP
iptables -A FORWARD -p TCP --dport 593 -j DROP
iptables -A FORWARD -p UDP --dport 593 -j DROP

# Windows Messaging:
iptables -A FORWARD -p TCP --dport 1026 -j DROP
iptables -A FORWARD -p UDP --dport 1026 -j DROP

# MS-SQL (which the Slammer worm used)
iptables -A FORWARD -p UDP --dport 1434 -j DROP

# From http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
iptables -A FORWARD -p UDP --dport 593 -j DROP

echo "1" > /proc/sys/net/ipv4/ip_forward