#!/bin/sh
#
# /etc/rc.d/iptables: load/unload iptable rules
#

rules=/etc/iptables/net.v4

iptables_clear () {
    echo "clear all iptables tables"
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F
    iptables -t raw -X
    iptables -t security -F
    iptables -t security -X
}

case $1 in
    start)
        echo "starting IPv4 firewall filter table..."
        /usr/sbin/iptables-restore ${rules}
        ;;
    stop)
        iptables_clear
        echo "stopping firewall and deny everyone..."
        /usr/sbin/iptables -P INPUT DROP
        /usr/sbin/iptables -P FORWARD DROP
        /usr/sbin/iptables -P OUTPUT DROP

        # Unlimited on local
        /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
        /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

        # log everything else and drop
        /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
        /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
        /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "

        ;;
    open)
        iptables_clear
        echo "outgoing Open firewall and deny everyone..."

        /usr/sbin/iptables -P INPUT DROP
        /usr/sbin/iptables -P FORWARD DROP
        /usr/sbin/iptables -P OUTPUT ACCEPT

	/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
	/usr/sbin/iptables -t mangle -P INPUT ACCEPT
	/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
	/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
	/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT

        /usr/sbin/iptables -A OUTPUT -j ACCEPT

        # Unlimited on local
        /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
        /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

        # Accept passive
        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
        /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

        # log everything else and drop
        /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
        /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
        /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "

        ;;

    restart)
        $0 stop
        $0 start
        ;;
    *)

        echo "usage: $0 [start|stop|restart]"
        ;;
esac

# End of file