#--------------------------------------------------------------------#
# Skenario: - Eth1 ( Card di Jaringan LAN)                           #
#           - ppp0 ( Interface Dial Up(Internet))                    #
# Firewall Script ini,akan Melakukan Rule NAT Terhadap Jaringan,     #  
# Kemudian PC yang ada Dijaringan Dipaksa-kan untuk Melewati Mesin   #
# Proxy Jika Mereka Akan Mengakses Port 80,8080,3128                 #
#    Info : dms@ikc.co.id                                            #
#--------------------------------------------------------------------#

echo -e "\n\nSETTING UP IPTABLES PROXY..."

INTIF="eth1"
IPTABLES=/sbin/iptables

EXTIF="ppp0"

LAN="192.168.1.0/24"

SERVER="192.168.1.1"

#EXTIP="125.164.215.71"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

#echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack

echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "    External interface: $EXTIF"
echo "    External interface IP address is: $EXTIP"

echo "    Loading proxy server rules..."

# Clearing any existing rules and setting default policy
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
$IPTABLES -N MACtest

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X


$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
#$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD


$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT


#NAT & MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -A FORWARD -i $INTIF -j ACCEPT

#transparent Proxy
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to $SERVER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 443 -j DNAT --to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 8080 -j DNAT --to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j DNAT --to $SERVER:8080

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 443 -j REDIRECT --to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 8080 -j REDIRECT --to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to-port 8080


# FWD: Allow all connections OUT and only existing and related ones IN
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state  ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s $LAN -j ACCEPT

$IPTABLES -A FORWARD -p tcp -m multiport --dport 21,22,53,110,143,5050,443  -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Port Drop

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 139 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 113 -j DROP

#$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -j DROP
#$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 25 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 826 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 826 -j DROP

$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 1723 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 1723 -j DROP

#$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 5050 -j DROP
#$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 5050 -j DROP

#$IPTABLES -A OUTPUT -o ppp0 -d 66.163.181.180 -j DROP

#$IPTABLES -I INPUT -i ppp0 -p tcp -s 0/0 -d 0/0 --dport 5050 -j DROP
#$IPTABLES -I INPUT -i ppp0 -p udp -s 0/0 -d 0/0 --dport 5050 -j DROP

#$IPTABLES -I OUTPUT -o ppp0 -d 66.163.160.0/19 --sport 5050 -j DROP

$IPTABLES -I FORWARD -p tcp -s 0/0 -d 0/0 --dport 25 -j DROP
$IPTABLES -I FORWARD -p udp -s 0/0 -d 0/0 --dport 25 -j DROP

$IPTABLES -I FORWARD -p tcp -s 0/0 -d 0/0 -m multiport --dport 3135,3514,3587,4033,4661,5427,6581,9104,6881:6889 -j DROP
$IPTABLES -I FORWARD -p udp -s 0/0 -d 0/0 -m multiport --dport 3135,3514,3587,4033,4661,5427,6581,9104,6881:6889 -j DROP

#$IPTABLES -I INPUT -p udp -i ppp0 --dport 22 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 --dport 22 -j DROP
$IPTABLES -I INPUT -p udp -i ppp0 --dport 21 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 21 -j DROP
$IPTABLES -I INPUT -p udp -i ppp0 --dport 53 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 53 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 111 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 113 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 139 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 445 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 826 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 901 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 1723 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 --dport 2049 -j DROP

$IPTABLES -I INPUT -p tcp -i ppp0 -s 125.161.170.142/32  -d 0/0 --dport 80 -j DROP
$IPTABLES -I INPUT -p tcp -i eth2 -s 125.161.170.142/32  -d 0/0 --dport 80 -j DROP
$IPTABLES -I INPUT -s 24.10.129.59/32 -j DROP
$IPTABLES -I INPUT -s 67.175.251.207/32 -j DROP
$IPTABLES -I INPUT -s 89.142.169.18/32 -j DROP
$IPTABLES -I INPUT -s 24.176.80.10/32 -j DROP
$IPTABLES -I INPUT -s 70.55.20.174/32 -j DROP
$IPTABLES -I INPUT -s 75.72.78.238/32 -j DROP
$IPTABLES -I INPUT -s 71.234.160.25/32 -j DROP
$IPTABLES -I INPUT -s 75.216.230.107/32 -j DROP
$IPTABLES -I INPUT -s 98.30.94.174/32 -j DROP
$IPTABLES -I INPUT -s 195.50.191.14/32 -j DROP
$IPTABLES -I INPUT -s 68.198.229.137/32 -j DROP
$IPTABLES -I INPUT -s 66.74.232.167/32 -j DROP

#/etc/init.d/shaper restart
#/etc/init.d/shaper start

#/root/script/ip.drop
#/script/mac.drop