#!/bin/sh

$Id: bridge.ini,v 1.2 2005/02/05 15:37:29 thomasez Exp $

. /etc/functions.inc
. /etc/config

hostname ${HOSTNAME}

echo "0" > /proc/sys/net/ipv4/ip_forward

( ifconfig $INSIDE_DEV > /dev/null 2> /dev/null) || {
	echo 
	echo "WARNING"
	echo "Could not find two ethernet devices"
	echo 
	exit;
}

( ifconfig $OUTSIDE_DEV > /dev/null 2> /dev/null) || {
	echo 
	echo "WARNING"
	echo "Could not find two ethernet devices"
	echo 
	exit;
}

if [ -f /mnt/config/open.lst ]
 then
   stripcr /mnt/config/open.lst /etc/open.lst
 else
   stripcr /mnt/tmp/open.lst /etc/open.lst
fi


#
# Adding the modules here:
#

modprobe bridge > $DEBUG_LOG 2>&1
modprobe ebtables > $DEBUG_LOG 2>&1
modprobe ebtable_broute > $DEBUG_LOG 2>&1
modprobe ebtable_filter > $DEBUG_LOG 2>&1
modprobe ebtable_nat > $DEBUG_LOG 2>&1
modprobe ebt_802_3 > $DEBUG_LOG 2>&1
modprobe ebt_arp > $DEBUG_LOG 2>&1
modprobe ebt_ip > $DEBUG_LOG 2>&1
modprobe ebt_log > $DEBUG_LOG 2>&1
modprobe ebt_mark > $DEBUG_LOG 2>&1
modprobe ebt_mark_m > $DEBUG_LOG 2>&1
modprobe ebt_pkttype > $DEBUG_LOG 2>&1


brctl addbr br0               # create bridge interface
# brctl stp br0 off           # disable spanning tree protocol on br0
brctl addif br0 $OUTSIDE_DEV  # add outside device to br0
brctl addif br0 $INSIDE_DEV   # add inside device to br0

ifconfig $OUTSIDE_DEV up
ifconfig $INSIDE_DEV up
ifconfig br0 up

###############################################################
# Set default policy
#
ebtables -P INPUT ACCEPT
ebtables -P OUTPUT ACCEPT
ebtables -P FORWARD ACCEPT
# clear existing tables
ebtables -F
ebtables -t nat -F
ebtables -t broute -F

#
# Firewall rules:
#

#
# Flushing the chains.
#

iptables -F
for i in `cat /proc/net/ip_tables_names`; do iptables -F -t $i ; done
iptables -X
iptables -Z   # zero all counters

#
# Policy for chains DROP everything
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $OUTSIDE_DEV -p tcp ! --syn -m state --state NEW -j DROP 

echo "Opening ports."
while read myline
 do
  case $myline in
   \#*)
    ;;
   *)
    if [ "$myline" != "" ] 
     then
      YOURLINE=`echo $myline | sed -e 's/,/ /'`
      set -- $YOURLINE
      if [ "$1" -a "$2" ]
       then
        echo "$1:$2"
        iptables -A FORWARD -p TCP -d $1 --dport $2 -j ACCEPT
        iptables -A FORWARD -p UDP -d $1 --dport $2 -j ACCEPT
      fi
    fi
   ;;
  esac
 done < /etc/open.lst

#
# We don't like the NetBIOS and Samba leaking..
# We don't really need these lines since the policy is drop but it's
# so important I'll keep it.
#
iptables -A FORWARD -p TCP --dport 135:139 -j DROP
iptables -A FORWARD -p UDP --dport 137:139 -j DROP
iptables -A FORWARD -p TCP --dport 445 -j DROP
iptables -A FORWARD -p UDP --dport 445 -j DROP

#
# Keep state and open up for outgoing connections.
#
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEV} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEV} -j DROP

echo "1" > /proc/sys/net/ipv4/ip_forward