#!/bin/sh

# $Id:$

#
# dmz-fw.ini
# A typical firewall subscript.
#
# Thomas Lundquist <thomasez@zelow.no>
#

# If no dmz info file, there is no use for this script.

[ -f /etc/dmz.info ] || exit;

. /etc/functions.inc

. /etc/config

. /etc/dmz.info
. /etc/inside.info
. /etc/outside.info

echo "Setting up DMZ."

# We will automatically accept DNS requests.
iptables -A INPUT -i ${DMZ_DEVICE} -p TCP --dport 53 -j ACCEPT
iptables -A INPUT -i ${DMZ_DEVICE} -p UDP --dport 53 -j ACCEPT

if [ "$DMZ_DHCP_SERVER" = "y" ]
then
  iptables -A INPUT -i ${DMZ_DEVICE} -p TCP --dport 67 -j ACCEPT
  iptables -A INPUT -i ${DMZ_DEVICE} -p UDP --dport 67 -j ACCEPT
  iptables -A INPUT -i ${DMZ_DEVICE} -p TCP --dport 68 -j ACCEPT
  iptables -A INPUT -i ${DMZ_DEVICE} -p UDP --dport 68 -j ACCEPT
fi

if [ "$DMZ_USE_NAT" = "y" ]
 then
  iptables -t nat -A POSTROUTING -s $DMZ_NETWORK/$DMZ_NETMASK -o $OUTSIDE_DEVICE -j MASQUERADE
fi 

# Open ports:
# The big caveat here is that multiport only supports 15 ports..
# We will try to pad that by giving the admin more options..
if [ -n "$DMZ_ALLOW_TO_OUTSIDE" ]
then
  case "$DMZ_ALLOW_TO_OUTSIDE" in
    all) iptables -A FORWARD -i $DMZ_DEVICE -o $OUTSIDE_DEVICE -j ACCEPT
	;;
    none) echo "No ports opened to OUTSIDE from DMZ"
	;;
    *) iptables -A FORWARD -p tcp -i $DMZ_DEVICE -m multiport --dports $DMZ_ALLOW_TO_OUTSIDE -o $OUTSIDE_DEVICE -j ACCEPT
	;;
  esac
fi

if [ -n "$DMZ_ALLOW_TO_INSIDE" ]
then
  case "$DMZ_ALLOW_TO_INSIDE" in
    all) iptables -A FORWARD -i $DMZ_DEVICE -o $INSIDE_DEVICE -j ACCEPT
	;;
    none) echo "No ports opened to INSIDE from DMZ"
	;;
    *) iptables -A FORWARD -p tcp -i $DMZ_DEVICE -m multiport --dports $DMZ_ALLOW_TO_INSIDE -o $INSIDE_DEVICE -j ACCEPT
	;;
  esac
fi

if [ -n "$DMZ_ALLOW_FROM_INSIDE" ]
then
  case "$DMZ_ALLOW_FROM_INSIDE" in
    all) iptables -A FORWARD -i $INSIDE_DEVICE -o $DMZ_DEVICE -j ACCEPT
	;;
    none) echo "No ports opened to DMZ from INSIDE"
	;;
    *) iptables -A FORWARD -p tcp -i $INSIDE_DEVICE -m multiport --dports $DMZ_ALLOW_FROM_INSIDE -o $DMZ_DEVICE -j ACCEPT
	;;
  esac
fi

# I'd better read the tc man pages and make a more tailored line instead of 
# just copying the one from firewall.ini
if [ -n "$DMZ_RESTRICT_KBITS" ]
then
  tc qdisc add dev $DMZ_DEVICE root tbf rate ${DMZ_RESTRICT_KBITS}kbit latency 50ms burst 1540
fi