#!/bin/sh
#
# firewall-base.sh
# 
# Basic functions for firewall start/stop scripts.
#
# By Jason Healy (jhealy@logn.net)
#
# $Header: /opt/cvs/omega/config/firewall/iptables.sh,v 1.18 2002/08/05 14:15:37 jhealy Exp $
#

# This script is included by 'firewall-init' and 'firewall-kill'.  It
# reads in configuration files and performs generic initialization for the
# other scripts.  This includes paving over all firewall rules for the
# specified interface so that the script can get a clean start.


# Variable to catch debugging statements.  Setting this causes the script
# to PRINT all rules, but not actually implement them.
DEBUG="0"

# Delimiter to separate the params in a pattern
DELIMITER="|"

# Interface name
# Commented out; Debian automatically provides this variable name
#IFACE="$1"

if [ -z "$IFACE" ]; then
    echo "Error: no interface specified as first argument" 1>&2
fi

# get the real interface (no aliases) to use
HW_IFACE=`echo "$IFACE" | sed -e 's/\([a-zA-Z0-9]\):.*/\1/'`

# Path to iptables program
IPTABLES="/sbin/iptables"

# Where should we look for the ruleset configs?
CONFIG_DIR="/etc/default/"
CONFIG_PRE="firewall-"
CONFIG_DEFAULT="default"

# read the default config
DEFAULT_RULES="$CONFIG_DIR$CONFIG_PRE$CONFIG_DEFAULT$CONFIG_POST"

if [ -f "$DEFAULT_RULES" ]; then
    . "$DEFAULT_RULES"
else
    echo -e "No default rules found..."
fi

# read the per-interface config
IFACE_RULES="$CONFIG_DIR$CONFIG_PRE$IFACE$CONFIG_POST"

if [ -f "$IFACE_RULES" ]; then
    . "$IFACE_RULES"
else
    echo -e "No rules found for interface '$IFACE'... using defaults only"
fi


#
# This function evaluates a set of patterns, and sticks each pattern into
# a given command line and executes it.
#
function evalPatterns() {

    local PATTERNS="$1"
    local COMMAND="$2"
    local ARGS="$3"

    for pattern in $PATTERNS; do
        expanded=`echo "$pattern" | tr "$DELIMITER" " "`
	set $expanded

        eval "$COMMAND $ARGS"

    done
}


## Begin processing!


if [ $DEBUG = "1" ]
then
# (For debugging, use these values instead -- they print your rules out)
    echo -e ""
    echo -e "***************************************************************"
    echo -e "***** DEBUG: PRINTING ALL RULES, but not setting anything *****"
    echo -e "***************************************************************"
    echo -e ""
    IPTABLES="echo \$ iptables"
fi

echo -e "--- Starting firewall-base processing ---"
echo -e ""
echo -e "Using the following variables:"
echo -e "\tIFACE:            $IFACE"
echo -e "\tHW_IFACE:         $HW_IFACE"
echo -e "\tIFACE_IP:         $IFACE_IP"
echo -e "\tIPTABLES:         $IPTABLES (iptables binary)"
echo -e "\tDROP:             $DROP (drop command)"
echo -e "\tREJECT:           $REJECT (reject command)"
echo -e "\tLOG:              $LOG (log level)"
echo -e "\tLP:               $LP (log prefix string)"
echo -e -n "\tDEBUG:            $DEBUG"
if [ $DEBUG = "1" ]
then
    echo -e "  (Debugging is ON)"
else
    echo -e "  (Debugging is OFF)"
fi

echo -e ""

echo -e "\tClearing old rules for interface $IFACE ..."

# Define and clear out all the top-level interface chains (we discard
# stderr because the chains might not exist yet)

# Input
echo -e "\t\tINPUT"
IFACE_INPUT=$IFACE"_input"
# delete any existing references to the interface input chain
$IPTABLES -t filter -D INPUT -i $HW_IFACE -d $IFACE_IP -j $IFACE_INPUT 2>/dev/null
$IPTABLES -t filter -F $IFACE_INPUT 2>/dev/null
$IPTABLES -t filter -X $IFACE_INPUT 2>/dev/null

# Output
echo -e "\t\tOUTPUT"
IFACE_OUTPUT=$IFACE"_output"
# delete any existing references to the interface output chain
$IPTABLES -t filter -D OUTPUT -s $IFACE_IP -j $IFACE_OUTPUT 2>/dev/null
$IPTABLES -t filter -F $IFACE_OUTPUT 2>/dev/null
$IPTABLES -t filter -X $IFACE_OUTPUT 2>/dev/null

# Prerouting (evil IPs)
echo -e "\t\tPREROUTING"
IFACE_PREROUTING=$IFACE"_prerouting"
# delete any existing references to the interface prerouting chain
$IPTABLES -t nat -D PREROUTING -d $IFACE_IP -j $IFACE_PREROUTING 2>/dev/null
$IPTABLES -t nat -F $IFACE_PREROUTING 2>/dev/null
$IPTABLES -t nat -X $IFACE_PREROUTING 2>/dev/null


#
# Create separate chains for ICMP, TCP and UDP to traverse
#

echo -e -n "\tClearing protocol chains: "

echo -e -n "\t\ttcp_packets "
TCP_PACKETS=$IFACE"_tcp_packets"
$IPTABLES -t filter -F $TCP_PACKETS 2>/dev/null
$IPTABLES -t filter -X $TCP_PACKETS 2>/dev/null

echo -e -n "\t\tudp_packets "
UDP_PACKETS=$IFACE"_udp_packets"
$IPTABLES -t filter -F $UDP_PACKETS 2>/dev/null
$IPTABLES -t filter -X $UDP_PACKETS 2>/dev/null

echo -e -n "\t\ticmp_packets "
ICMP_PACKETS=$IFACE"_icmp_packets"
$IPTABLES -t filter -F $ICMP_PACKETS 2>/dev/null
$IPTABLES -t filter -X $ICMP_PACKETS 2>/dev/null

echo -e ""

echo -e ""
echo -e ""
echo -e "--- Done with firewall-base ---"
echo -e ""
echo -e ""