#!/bin/sh
#
# Script to limit packets accepted by a Linux box.
#
# Source function library.
. /etc/rc.d/init.d/functions

if [ ! -f /etc/sysconfig/network ]; then
    exit 0
fi

. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -x /sbin/ifconfig ] || exit 0

CWD=`pwd`
cd /etc/sysconfig/network-scripts

[ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] || exit 0

. /etc/sysconfig/network-scripts/ifcfg-eth0

#
# ----------------------------------------------------------------------------
#
# First, flush any current chains.
#
ipchains -F
#
# ----------------------------------------------------------------------------
#
# Make the default policy of the input chain DENY
#
ipchains -P input DENY
#
# ----------------------------------------------------------------------------
#
# Allow unlimited traffic on loopback interface.
#
ipchains -A input  -i lo -j ACCEPT
ipchains -A output -i lo  -j ACCEPT
#
# ----------------------------------------------------------------------------
#
# Next define a chain called "local".
#
ipchains -X local
ipchains -N local
#
# ----------------------------------------------------------------------------
#
# Deny access to folks who scan you.
#
# ----------------------------------------------------------------------------
#
ipchains -A local  -s 172.16.47.24/32 -j DENY
ipchains -A local  -s 172.16.47.35/32 -j DENY
ipchains -A local  -s 172.16.47.42/32 -j DENY
ipchains -A local  -s 172.16.47.43/32 -j DENY
ipchains -A local  -s 172.16.47.45/32 -j DENY
ipchains -A local  -s 172.16.47.46/32 -j DENY
#
# ----------------------------------------------------------------------------
#
# Accept access from folks who aren't jerks.
#
# ----------------------------------------------------------------------------
#
ipchains -A local  -s 172.16.47.19/32 -j ACCEPT
ipchains -A local  -s 172.16.47.40/32 -j ACCEPT
ipchains -A local  -s 172.16.47.17/32 -j ACCEPT
ipchains -A local  -s 172.16.47.23/32 -j ACCEPT
ipchains -A local  -s 172.16.47.36/32 -j ACCEPT
ipchains -A local  -s 172.16.47.38/32 -j ACCEPT
#
# ----------------------------------------------------------------------------
#
# Accept ICMP packets only from our network except for broadcasts.
#
 ipchains -A local -p ICMP -d ${NETWORK}/32 --icmp-type 8 -j DENY
 ipchains -A local -p ICMP -d ${BROADCAST}/32 --icmp-type 8 -j DENY
 ipchains -A local -p ICMP -d 255.255.255.255/32 --icmp-type 8 -j DENY
 ipchains -A local -p ICMP -s 172.16.47.0/24 --icmp-type 8 -j ACCEPT
 ipchains -A local -p ICMP -s 0.0.0.0/0 --icmp-type 8 -j DENY
#
# ----------------------------------------------------------------------------
#
# Log all TCP SYN (connection) requests
#
 ipchains -A local -p TCP -i ! lo --syn --log
#
# ----------------------------------------------------------------------------
#
# Accept SSH connections only from acceptable people - Deny all other
# SSH attempts.
#
 ipchains -A local -p TCP -s 172.16.47.0/24 --dport 22 -j ACCEPT
#
# ----------------------------------------------------------------------------
#
# Accept TCP connections only from our subnet - Accept http/https and timed
# connections from anyone at NSWC. Deny all other
# TCP packets on the well-known ports.
#
 ipchains -A local -p TCP -s 172.16.47.0/24 -j ACCEPT
 ipchains -A local -p TCP -s 172.16.0.0/16 --dport 80 -j ACCEPT
 ipchains -A local -p TCP -s 172.16.0.0/16 --dport 443 -j ACCEPT
 ipchains -A local -p TCP -s 172.16.0.0/16 --dport 37 -j ACCEPT
#
# ----------------------------------------------------------------------------
#
# Accept TCP traffic on non-privileged ports, usually replies to us.
#
 ipchains -A local -p TCP -s 0.0.0.0/0 --dport 1020:65535 -j ACCEPT
 ipchains -A local -p TCP -s 0.0.0.0/0 --sport 22 -j ACCEPT
#
# ----------------------------------------------------------------------------
#
# Deny all UDP packets, except NETBIOS from our subnet, and DNS
# from our name servers. Don't need 'em, and they're dangerous.
# Deny RIP packets from our router. Log all other UDP packets.
#
 ipchains -A local -p UDP -s 172.16.47.0/24 --dport 111 -j ACCEPT
 ipchains -A local -p UDP -s 172.16.47.0/24 --dport 2049 -j ACCEPT
 ipchains -A local -p UDP -s 172.16.47.0/24 --dport 1025 -j ACCEPT
 ipchains -A local -p UDP -s 172.16.47.0/24 --dport 135:139 -j ACCEPT
 ipchains -A local -p UDP -s 172.16.1.2/32 --sport 53 -j ACCEPT
 ipchains -A local -p UDP -s 172.16.1.1/32 --sport 53 -j ACCEPT
 ipchains -A local -p UDP --sport 520 -j DENY
 ipchains -A local -p UDP --log -j DENY
#
# ----------------------------------------------------------------------------
#
# Apply the "local" chain to the input chain.
#
ipchains -A input -j local
