#!/bin/bash
# Start/stop the diod firewall 

start(){
	/sbin/modprobe ip_tables
	/sbin/modprobe iptable_filter
	/sbin/modprobe iptable_nat
	/sbin/modprobe ip_conntrack
	/sbin/modprobe ipt_state
	/sbin/modprobe ip_conntrack_ftp

	# Anti-spoofing
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
		for flag in /proc/sys/net/ipv4/conf/*/rp_filter ; do
			echo 1 > $flag 
		done
	fi
  
  
	if [ -e /etc/netfilter/policy.netfilter ]; then		
		# Load the saved policy
		/usr/sbin/iptables-restore < /etc/netfilter/policy.netfilter
	else
		# Diod policy ;)
		/usr/sbin/iptables -t filter -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 1>&2 2>/dev/null
		/usr/sbin/iptables -t filter -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 1>&2 2>/dev/null
		/usr/sbin/iptables -t filter -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 1>&2 2>/dev/null
		/usr/sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
		/usr/sbin/iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
		/usr/sbin/iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
		/usr/sbin/iptables -t filter -D INPUT -i lo -j ACCEPT 1>&2 2>/dev/null
		/usr/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
		/usr/sbin/iptables -t filter -D OUTPUT -o lo -j ACCEPT 1>&2 2>/dev/null
		/usr/sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
	  
		# INPUT ####################################################    
		/usr/sbin/iptables -t filter -D INPUT -j DROP 1>&2 2>/dev/null  
		/usr/sbin/iptables -t filter -A INPUT -j DROP  

		# OUTPUT ####################################################
		/usr/sbin/iptables -t filter -D OUTPUT -j ACCEPT 1>&2 2>/dev/null  
		/usr/sbin/iptables -t filter -A OUTPUT -j ACCEPT

		# We save the policy ########################################
		mkdir -p /etc/netfilter 1>&2 2>/dev/null      
		/usr/sbin/iptables-save > /etc/netfilter/policy.netfilter
	fi
}

stop(){
	# Flush and delete rules 
	for TABLE in filter nat mangle; do
		iptables -t $TABLE -F 1>&2 2>/dev/null
		iptables -t $TABLE -X 1>&2 2>/dev/null
	done
	
	for CHAIN in INPUT OUTPUT FORWARD; do
		iptables -t filter -P $CHAIN ACCEPT 1>&2 2>/dev/null
	done     

	# Disable anti-spoofing
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
		for flag in /proc/sys/net/ipv4/conf/*/rp_filter ; do
			echo 0 > $flag 
		done
	fi  
}

case $1 in
	start)
		start
	;;
	stop)
		stop
	;;
	restart)
		stop
		start
	;;
	*)
		echo "Usage: rc.firewall {start|stop|restart}"
		exit 1
		;;
esac