#
# rule(chain, target, proto, src, srcport, dst, dstport, iface,
#      mark, output, tos, fragment, redirect, syn, log, bidirectional)
#
# All options except for "chain" and "target" are optional and default
# to either matching anything or doing nothing (for those options that
# specify how to mark a packet).
#
# See the man page for ipchains for details on what the meaning of the
# arguments to "rule" are.
#

# This routine disallows TCP connections from src to dest
# while allowing all other TCP data and denying any other kind of packet
def closetcp(chain, src=None, dst=None):
    rule(chain, DENY,   TCP, src=src, dst=dst, syn=1, log=1)
    rule(chain, ACCEPT, TCP, src=src, dst=dst)
    rule(chain, DENY,        src=src, dst=dst, log=1)

# Define some special network addresses
bbbbbbbbbbbbbbb = address('208.32.150.0', 24)
internal = address('192.168.0.0', 16)
public = address('1.2.3.0', 24)
public_bcast = address('1.2.3.255')
cccccc = address('222.222.0.0', 16)
dddddd = address('12.9.99.0', 24)
eeeeeeee = address('10.1.10.0', 24)
ffffffff = address('10.1.12.0', 24)
gggggggg = address('234.12.34.0', 24)

aaaaaa = address('1.2.3.59')
hhhhhhhhhhhhhhh = address('1.2.32.1')
iiiiiiiiii = address('1.2.3.13')
jjjjjjj = address('1.2.3.4')
kkk = address('1.2.3.9')
hexhex35 = address('1.2.3.53')

# Services
notes = 1352
smtp = 25
http = 80
httphigh = 8080
https = 443
domain = 53
ftp = 21
ftp_data = 20
bookitpro = 15000
imap2 = 143

default(INPUT, ACCEPT)
default(FORWARD, REJECT)
default(OUTPUT, ACCEPT)

# Set up a seperate chain to specifically handle all the different ICMP types
rule('icmp', ACCEPT, ICMP, icmptype='echo-request')
rule('icmp', ACCEPT, ICMP, icmptype='echo-reply')
rule('icmp', ACCEPT, ICMP, icmptype='destination-unreachable', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='network-unreachable', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='host-unreachable', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='protocol-unreachable', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='port-unreachable')
rule('icmp', ACCEPT, ICMP, icmptype='fragmentation-needed', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='source-route-failed', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='network-unknown', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='host-unknown', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='network-prohibited', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='host-prohibited', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='TOS-network-unreachable', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='TOS-host-unreachable', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='communication-prohibited', log=1)
rule('icmp', DENY,   ICMP, icmptype='host-precedence-violation', log=1)
rule('icmp', DENY,   ICMP, icmptype='precedence-cutoff', log=1)
rule('icmp', DENY,   ICMP, icmptype='source-quench', log=1)
rule('icmp', DENY,   ICMP, icmptype='redirect', log=1)
rule('icmp', DENY,   ICMP, icmptype='network-redirect', log=1)
rule('icmp', DENY,   ICMP, icmptype='host-redirect', log=1)
rule('icmp', DENY,   ICMP, icmptype='TOS-network-redirect', log=1)
rule('icmp', DENY,   ICMP, icmptype='TOS-host-redirect', log=1)
rule('icmp', DENY,   ICMP, icmptype='router-advertisement', log=1)
rule('icmp', DENY,   ICMP, icmptype='router-solicitation', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='time-exceeded', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='ttl-zero-during-transit', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='ttl-zero-during-reassembly', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='parameter-problem', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='ip-header-bad', log=1)
rule('icmp', ACCEPT, ICMP, icmptype='required-option-missing', log=1)
rule('icmp', DENY,   ICMP, icmptype='timestamp-request', log=1)
rule('icmp', DENY,   ICMP, icmptype='timestamp-reply', log=1)
rule('icmp', DENY,   ICMP, icmptype='address-mask-request', log=1)
rule('icmp', DENY,   ICMP, icmptype='address-mask-reply', log=1)
rule('icmp', DENY, log=1)

add_route_rules(INPUT)

rule(INPUT, 'icmp', ICMP, dst=aaaaaa,                   mark=1)
rule(INPUT, ACCEPT, TCP,  dst=aaaaaa, dstport=notes,    syn=1, mark=1)
rule(INPUT, ACCEPT, TCP,  dst=aaaaaa, dstport=https,    syn=1, mark=1)
rule(INPUT, ACCEPT, TCP,  dst=aaaaaa, dstport=http,     syn=1, mark=1)
rule(INPUT, ACCEPT, TCP,  dst=aaaaaa, dstport=httphigh, syn=1, mark=1)
rule(INPUT, ACCEPT, TCP,  dst=aaaaaa, dstport=ftp,      syn=1, mark=1)
rule(INPUT, ACCEPT, TCP,  dst=aaaaaa, dstport=ftp_data, syn=1, mark=1)
rule(INPUT, ACCEPT, TCP,  dst=aaaaaa, dstport=imap2,    syn=1, mark=1)
closetcp(INPUT, dst=aaaaaa)

rule(INPUT, 'icmp', ICMP, dst=hhhhhhhhhhhhhhh,               mark=2)
rule(INPUT, ACCEPT, TCP,  src=cccccc, dst=hhhhhhhhhhhhhhh,   syn=1, mark=2)
rule(INPUT, ACCEPT, TCP,  src=dddddd, dst=hhhhhhhhhhhhhhh,   syn=1, mark=2)
rule(INPUT, ACCEPT, TCP,  src=eeeeeeee, dst=hhhhhhhhhhhhhhh, syn=1, mark=2)
rule(INPUT, ACCEPT, TCP,  src=ffffffff, dst=hhhhhhhhhhhhhhh, syn=1, mark=2)
rule(INPUT, ACCEPT, TCP,  src=gggggggg, dst=hhhhhhhhhhhhhhh, syn=1, mark=2)
rule(INPUT, DENY,         dst=hhhhhhhhhhhhhhh,               log=1)

rule(INPUT, DENY,         dst=public_bcast,                  log=1)

# Masquerade all data going out on eth1 (Internet link) from the internal network
rule(FORWARD, MASQ, src=internal, iface='eth1')

# Accept all ICMP
rule(FORWARD, 'icmp', ICMP)

# Accept all other data going to or coming from the internal network
# Note that internal is not reachable from the Internet
# except by the above MASQ rule
rule(FORWARD, ACCEPT, src=internal, bidirectional=1)

# Accept all connections coming from the public network
rule(FORWARD, ACCEPT, TCP, src=public, syn=1)

rule(FORWARD, ACCEPT, src=bbbbbbbbbbbbbbb, dst=iiiiiiiiii, bidirectional=1)
rule(FORWARD, ACCEPT, TCP, dst=iiiiiiiiii, dstport=smtp,   syn=1, log=1)
rule(FORWARD, ACCEPT, TCP, dst=iiiiiiiiii, dstport=smtp,   bidirectional=1)
rule(FORWARD, ACCEPT, UDP, dst=iiiiiiiiii, dstport=domain, bidirectional=1)
rule(FORWARD, ACCEPT, TCP, dst=iiiiiiiiii, dstport=domain, bidirectional=1)
rule(FORWARD, DENY,        dst=iiiiiiiiii,                 log=1)

rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=smtp,      syn=1, log=1)
rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=smtp,      bidirectional=1)
rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=notes,     syn=1)
rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=https,     syn=1)
rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=http,      syn=1)
rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=httphigh,  syn=1)
rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=bookitpro, syn=1)
rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=ftp,       syn=1)
rule(FORWARD, ACCEPT, TCP, dst=jjjjjjj, dstport=ftp_data,  syn=1)

rule(FORWARD, ACCEPT, TCP, dst=kkk, dstport=notes,         syn=1)
rule(FORWARD, ACCEPT, TCP, dst=kkk, dstport=https,         syn=1)
rule(FORWARD, ACCEPT, TCP, dst=kkk, dstport=http,          syn=1)
rule(FORWARD, ACCEPT, TCP, dst=kkk, dstport=httphigh,      syn=1)
rule(FORWARD, ACCEPT, TCP, dst=kkk, dstport=bookitpro,     syn=1)
rule(FORWARD, ACCEPT, TCP, dst=kkk, dstport=ftp,           syn=1)
rule(FORWARD, ACCEPT, TCP, dst=kkk, dstport=ftp_data,      syn=1)

rule(FORWARD, 'hexhex35', dst=hexhex35, bidirectional=1)

closetcp(FORWARD)

rule('hexhex35', ACCEPT, src=cccccc,           bidirectional=1)
rule('hexhex35', ACCEPT, src=dddddd,           bidirectional=1)
rule('hexhex35', ACCEPT, src=eeeeeeee,         bidirectional=1)
rule('hexhex35', ACCEPT, src=ffffffff,         bidirectional=1)
rule('hexhex35', ACCEPT, src=gggggggg,         bidirectional=1)
rule('hexhex35', DENY, log=1)

# Always defragment incoming frames for forwarding
command_pre('echo 1 >/proc/sys/net/ipv4/ip_always_defrag')
# Set up mfw options
command_pre('ipmasqadm mfw -F')
command_pre('ipmasqadm mfw -A -m 1 -r 192.168.4.2')
command_pre('ipmasqadm mfw -A -m 2 -r 1.2.3.53')