#! /bin/sh
#
# Texas Union Unix Cluster (ozma.union.utexas.edu)
# network and firewall setup
#
# rc.inet1	This shell script boots up the base INET system.
# Brent Cook <busterb@xxxxxxxxxxxxxxx>
#  based on rc.firewall by Oskar Andreasson <blueflux@xxxxxxxxxxx>
#   (c) BoingWorld.com
#  based on rc.inet1 from Slackware 8.0
#

###########
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)

HOSTNAME=`cat /etc/HOSTNAME`

LOCALHOST_IP="127.0.0.1"

LAN_IFACE="eth1"
LAN_IP="192.168.1.1"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST="192.168.1.255/32"

INET_IFACE="eth0"
INET_IP="146.6.96.9"
INET_BCAST="146.6.96.255/32"
INET_GW="146.6.96.250"

#INET_IFACE_ALIAS0=${INET_IFACE}:0
#INET_IP_ALIAS0="146.6.96.53"

REALSERVER_IP1="192.168.1.11"
REALSERVER_IP2="192.168.1.12"

IPTABLES="/usr/sbin/iptables --verbose"
IPVSADM="/sbin/ipvsadm"
IFCONFIG="/sbin/ifconfig"
ROUTE="/sbin/route"

ENABLE_FIREWALL="yes"
ENABLE_FORWARDING="yes"

# Attach the loopback device.
$IFCONFIG lo 127.0.0.1
$ROUTE add -net 127.0.0.0 netmask 255.0.0.0 lo

echo "Configuring ${LAN_IFACE} as ${LAN_IP}..."
$IFCONFIG ${LAN_IFACE} ${LAN_IP} broadcast ${LAN_BCAST}

echo "Configuring ${INET_IFACE} as ${INET_IP}..."
$IFCONFIG ${INET_IFACE} ${INET_IP} broadcast ${INET_BCAST}
$ROUTE add default gw ${INET_GW} netmask 0.0.0.0 metric 1

#echo "Configuring ${INET_IFACE_ALIAS0} as ${INET_IP_ALIAS0}..."
#$IFCONFIG ${INET_IFACE_ALIAS0} ${INET_IP_ALIAS0}
#$ROUTE add -host ${INET_IP_ALIAS0} dev ${INET_IFACE_ALIAS0}

# Set up routing and IPVS services

#########
# Load all required IPTables modules
#

# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

#
# Remove previous routing tables
#
$IPTABLES --flush

#
# Support for owner matching
#
/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP
#
/sbin/modprobe ip_conntrack_ftp


#CRITICAL:  Enable IP forwarding since it is disabled by default.
#
echo "1" > /proc/sys/net/ipv4/ip_forward


# Enable simple IP FORWARDing and Masquerading
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

# check to enable firewall
if [ "$ENABLE_FIREWALL" = "yes" ]; then

#
# set default policies for the INPUT, FORWARD and OUTPUT chains
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# the allowed chain for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages. This is where the state matching 
# is performed also, we allow NEW, ESTABLISHED and RELATED packets.

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
# port 26 is actually ssh to the routers
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport ftp-data -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport ftp -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport telnet -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport smtp -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport pop3 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport ssh -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport ssh-router -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport http -j allowed	
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport https -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport ident -j allowed

#
# UDP rules
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's 
#

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#
# Mark packets in http/https, smtp/submission and ftp groups
#

$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp -s 0.0.0.0/0 -d $INET_IP --dport ftp -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp -s 0.0.0.0/0 -d $INET_IP --dport ftp-data -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp -s 0.0.0.0/0 -d $INET_IP --dport http -j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp -s 0.0.0.0/0 -d $INET_IP --dport https -j MARK --set-mark 2

#
# INPUT chain
#
# establish the basic INPUT chain and filter the packets onto the correct
# chains.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -p ALL -d $INET_IP_ALIAS0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# OUTPUT chain
#
# establish the basic OUTPUT chain and filter them onto the correct chain
#

$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $INET_IP_ALIAS0 -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

fi

# check to enable firewall
if [ "$ENABLE_FORWARDING" = "yes" ]; then

echo "Starting IPVS"
#
# clear old IPVS tables
#
$IPVSADM --clear

#
# set TCP, TCP_FIN and UDP timeouts
#
$IPVSADM --set 2400 120 30

#
# ipvs forwarding for FTP service, weighted least connections
#
echo "Adding FTP service..."
$IPVSADM -A -f 1 -s wlc -p 600
$IPVSADM -a -f 1 -r $REALSERVER_IP1:0 -m -w 1
$IPVSADM -a -f 1 -r $REALSERVER_IP2:0 -m -w 1

#
# ipvs forwarding for fwmarked HTTP/HTTPS service, round-robin
#
echo "Adding main HTTP/HTTPS service..."
$IPVSADM -A -f 2 -s rr -p 600
$IPVSADM -a -f 2 -r $REALSERVER_IP1:0 -m
$IPVSADM -a -f 2 -r $REALSERVER_IP2:0 -m

#
# ipvs forwarding for SMTP service, round-robin
#
echo "Adding SMTP service..."
$IPVSADM -A -t $INET_IP:smtp -s rr
$IPVSADM -a -t $INET_IP:smtp -r $REALSERVER_IP1:smtp -m -w 1
#$IPVSADM -a -t $INET_IP:smtp -r $REALSERVER_IP2:smtp -m -w 1

#
# ipvs forwarding for aliased SMTP service, round-robin
#
#echo "Adding aliased SMTP service..."
#$IPVSADM -A -t $INET_IP_ALIAS0:smtp -s rr
#$IPVSADM -a -t $INET_IP_ALIAS0:smtp -r $REALSERVER_IP2:smtp -m -w 1

#
# ipvs forwarding for POP3 service, weighted least connections
#
echo "Adding POP3 service..."
$IPVSADM -A -t $INET_IP:pop3 -s wlc
$IPVSADM -a -t $INET_IP:pop3 -r $REALSERVER_IP1:pop3 -m -w 1
$IPVSADM -a -t $INET_IP:pop3 -r $REALSERVER_IP2:pop3 -m -w 1

#
# ipvs forwarding for SSH service, weighted least connections
#
echo "Adding SSH service..."
$IPVSADM -A -t $INET_IP:ssh -s wlc
$IPVSADM -a -t $INET_IP:ssh -r $REALSERVER_IP1:ssh -m -w 1
$IPVSADM -a -t $INET_IP:ssh -r $REALSERVER_IP2:ssh -m -w 1

#
# ipvs forwarding for TELNET service, weighted least connections
#
echo "Adding TELNET service..."
$IPVSADM -A -t $INET_IP:telnet -s wlc
$IPVSADM -a -t $INET_IP:telnet -r $REALSERVER_IP1:telnet -m -w 1
$IPVSADM -a -t $INET_IP:telnet -r $REALSERVER_IP2:telnet -m -w 1

fi

# End of rc.inet1