#!/bin/sh
# For more info: http://metalab.unc.edu/LDP/HOWTO/IPCHAINS-HOWTO.html
#
fw=/sbin/ipchains
fw_path=/etc/rc.d
firewall_setup()
{
	if [ $(id -u) = "0" ]; then
		echo "Basic IPChains Firewall setup script"
		echo "Using IPChains PATH: ${fw}"
		echo "Putting firewall script in: ${fw_path}/rc.firewall"
		echo -n "Do you really want to set up an secure firewall? [Y/n]: "
		read answr
		case $answr in
		Y|y) if [ -f ${fw_path}/rc.firewall ]; then
		     		mv ${fw_path}/rc.firewall ${fw_path}/rc.firewall.OLD	
				echo "WARNING!! Copying existing rc.firewall to rc.firewall.OLD in ${fw_path}"
		     fi
		     echo "#!/bin/sh" > ${fw_path}/rc.firewall
		     echo "# Firewall generated by $0" >> ${fw_path}/rc.firewall
		     echo ""
		     echo "# Flush all your chains" >> ${fw_path}/rc.firewall
		     echo "${fw} -F" >> ${fw_path}/rc.firewall
		     echo -n "By default deny all input to your machine/network? [Y/n]: "
         	     read inpt 
		     while [ "$inpt" = "$null" ]; do
		     		echo -n "By default deny all input to your machine/network? [Y/n]: "
				read inpt
		     done
	   	     case $inpt in
	     	     Y|y) echo "# Deny everything in to the machine/network" >> ${fw_path}/rc.firewall 
			  echo "${fw} -P input DENY" >> ${fw_path}/rc.firewall
		          echo -n "By default accept all outgoing connections? [Y/n]: "
		 	  read outpt
			  while [ "$outpt" = "$null" ]; do
			  	echo -n "By default accept all outgoing connections? [Y/n]: "
				read outpt
			  done	
		  	  case $outpt in
		   	  Y|y) echo "# Allow everything thats on its way out" >> ${fw_path}/rc.firewall 
			       echo "${fw} -P output ACCEPT" >> ${fw_path}/rc.firewall ;;
		  	  N|n) echo "OK, lets hope your default output value is on accept"
		  	  esac
		  	  echo -n "Whats your Internet Address?: "
		  	  read ip
		  	  while [ "$ip" = "$null" ]; do
		  		echo "You have to have an IP to set up an firewall!"
				echo -n "Whats your Internet Address?: "
				read ip
		  	  done
		  	  echo -n "Accept all connections from loopback [Y|n]: "
		  	  read lopb
			  while [ "$lopb" = "$null" ]; do
			  	echo -n "Accept all connections from loopback [Y|n]: "
			  	read lopb
			  done	
		  	  case $lopb in
		  	  Y|y) echo "# Accept all connections from loopback" >> ${fw_path}/rc.firewall
			       echo "${fw} -A input -i lo -j ACCEPT" >> ${fw_path}/rc.firewall ;;
		  	  N|n) echo "OK, not that smart but it's your choice"
		  	  esac
		  	  echo -n "Do you want to continue? [Y/n]: "
		  	  read cnt
			  while [ "$cnt" = "$null" ]; do
			  	echo -n "Do you want to continue? [Y/n]: "
				read cnt
			  done
		  	  case $cnt in
		  	  Y|y) echo "# User defined" >> ${fw_path}/rc.firewall
			       until [ "$cnt" = "$null" ]; do
					echo "Applications you want to Allow"
					echo -n "What protocol [tcp/udp/icmp]: "
					read cnt
					echo -n "What port: "
					read prt
					echo -n "Where from? [0/0]: "
					read src
					if [ "$src" = "$null" ]; then
						echo "${fw} -A input -p ${cnt} -s 0/0 -d ${ip}/32 ${prt} -j ACCEPT" >> ${fw_path}/rc.firewall
					else
						echo "${fw} -A input -p ${cnt} -s ${src} -d ${ip}/32 ${prt} -j ACCEPT" >> ${fw_path}/rc.firewall
					fi 
					echo -n "Enter one more? (Enter to skip): "
					read cnt
				done ;;		
 		  	 N|n) echo "OK, not accepting anything to your machine"
		  	esac
		  	echo "# Accept some replies by default (none user defined)" >> ${fw_path}/rc.firewall
		  	echo "${fw} -A input -p tcp -s 0/0 80 -d ${ip}/32 -j ACCEPT" >> ${fw_path}/rc.firewall
		  	echo "${fw} -A input -p tcp -s 0/0 53 -d ${ip}/32 -j ACCEPT" >> ${fw_path}/rc.firewall
		  	echo "${fw} -A input -p tcp -s 0/0 20 -d ${ip}/32 -j ACCEPT" >> ${fw_path}/rc.firewall
			echo "${fw} -A input -p udp -s 0/0 20 -d ${ip}/32 -j ACCEPT" >> ${fw_path}/rc.firewall
		 	echo "${fw} -A input -p tcp -s 0/0 21 -d ${ip}/32 -j ACCEPT" >> ${fw_path}/rc.firewall
		  	echo "${fw} -A input -p tcp -s 0/0 22 -d ${ip}/32 -j ACCEPT" >> ${fw_path}/rc.firewall
		  	echo "${fw} -A input -p tcp -s 0/0 23 -d ${ip}/32 -j ACCEPT" >> ${fw_path}/rc.firewall
		  	echo "${fw} -A input -p tcp -s 0/0 25 -d ${ip}/32 -j ACCEPT" >> ${fw_path}/rc.firewall
			echo -n "Boost some protocols? [Y/n] (mostly for modem users): "
			read boost
			while [ "$boost" = "$null" ]; do
				echo -n "Boost some protocols? [Y/n] (mostly for modem users): "
				read boost
			done
			case $boost in
			Y|y) echo "# Boost some protocols" >> ${fw_path}/rc.firewall 
			     until [ "$boost" = "$null" ]; do
			     	echo -n "Boost what protocols? [telnet/ftp/ftp-data] (Enter to skip): "
			     	read boost
			     	case $boost in
			     	telnet) echo "${fw} -A output -p tcp -d 0/0 23 -t 0x01 0x10" >> ${fw_path}/rc.firewall ;;
			    	ftp) echo "${fw} -A output -p tcp -d 0/0 21 -t 0x01 0x10" >> ${fw_path}/rc.firewall ;;
			     	ftp-data) echo "${fw} -A output -s 0/0 20 -t 0x01 0x08" >> ${fw_path}/rc.firewall ;;
			     	esac 
			     done ;;
			N|n) echo "OK, skipping boosts"
			esac
			echo -n "Do you want to deny ping requests? [y/N]: "
			read block
			while [ "$block" = "$null" ]; do
				echo -n "Do you want to deny ping requests? [y/N]: "
				read block
			done
			case $block in	
			Y|y) echo "# Deny Ping requests" >> ${fw_path}/rc.firewall
			     echo "${fw} -A input -p icmp -s 0/0 --icmp-type echo-request -j DENY" >> ${fw_path}/rc.firewall
			esac
			echo -n "Do you want an IP stoof protection? [Y/n]: "
			read spoof
			while [ "$spoof" = "$null" ]; do
				echo -n "Do you want an IP stoof protection? [Y/n]: "
				read spoof
			done
			case $spoof in
			Y|y) echo "IP spoof protection activated" 
			     if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
			     		for i in /proc/sys/net/ipv4/conf/*/rp_filter 
				        do
						echo 1 > $i
					done
			     fi ;;
			N|n) echo "Protection against IP spoofing could be a good thing..."
			esac
			echo -n "Do you use IP MASQ? [y/N]: "
			read ipmasq
			while [ "$ipmasq" = "$null" ]; do
				echo -n "Do you use IP MASQ? [y/N]: "
				read ipmasq
			done
			case $ipmasq in
			Y|y) echo 1 > /proc/sys/net/ipv4/ip_forward
			     echo -n "What's your IP MASQ network address? (ex: 192.168.1.0/24 for a C class network): 
			     read ipmasq_addr
			     echo "# IP MASQ" >> ${fw_path}/rc.firewall
			     echo "${fw} -P forward DENY
			     echo "${fw} -A input -s ${ipmasq_addr} -j MASQ" >> ${fw_path}/rc.firewall
			     echo "Just load your IP MASQ modules, whom should be located in: /lib/modules/$(uname -r)/ipv4" ;;
			N|n) echo "Oh, OK master!"
			esac
		 	chmod 755 ${fw_path}/rc.firewall
		  	echo -n "Do you want to activate the firewall? [Y/n]: "
		  	read act
			while [ "$act" = "$null" ]; do
				echo -n "Do you want to activate the firewall? [Y/n]: "
				read act
			done
		 	case $act in
		  	Y|y) ${fw_path}/rc.firewall ;;
		  	N|n) echo "OK, type ${fw_path}/rc.firewall to activate your firewall"
		  	esac
		  	echo "Basic IPChains Firewall script is done."
		  	echo "You might want to take a look in ${fw_path}/rc.firewall" ;;
	    		N|n) echo "Aborting IPChains firewall"
		 	     exit 0 ;; 		
		N|n) echo "Aborting IPChains Firewall setup"
	     	     exit 0
	     esac 
	  esac 
 	else
		echo "You have to be root to use $0"
	fi
}
firewall_setup