#!/bin/sh

#  IPTABLES  PROXY  script for the Linux 2.4 kernel.
#  This script is a derivitive of the script presented in
#  the IP Masquerade HOWTO page at:
#  www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html
#  It was simplified to coincide with the configuration of
#  the sample system presented in the Guides section of
#  www.aboutdebian.com
#
#  This script is presented as an example for testing ONLY
#  and should not be used on a production proxy server.
#
# Modified 2019-07-09 bobmon
#
echo "\n\nSETTING UP IPTABLES PROXY..."


# === SECTION A
# -----------   FOR EVERYONE 

# Set defaults for the internal and external interfaces:
INTIF="eth0"
#EXTIF="ppp0"
EXTIF="eth1"

# Change of plan: get these values from the command-line options:
echo "Default internal interace ${INTIF}, external interface ${EXTIF}"
if [ $# -eq 2 ] ; then
    INTIF=${1}
    EXTIF=${2}
    echo "Final internal interace ${INTIF}, external interface ${EXTIF}"
fi
echo ''

# ----------   DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS
#EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#---- Direct Ethernet link ----
EXTIP=`ip a s ${EXTIF} | sed -n  -e 's/inet \(.*\+\)\/.*/\1/p'`

# --------  No more variable setting beyond this point  --------

echo "    External interface: ${EXTIF}, IP address: ${EXTIP}"

#---- DON'T suppress default gateway and DNS server ----
echo "Modifying /etc/dnsmasq.conf..."
sed -i 's/^\(dhcp-option\)/###\1/' /etc/dnsmasq.conf

#---- Enable routing in the kernel ----
echo "    Enabling IP forwarding..."
TARGET=sysctl.conf
TARGETDIR=/etc/
echo "Modifying ${TARGETDIR}$Target}..."
cp ${TARGETDIR}${TARGET} /tmp/
cat >> /tmp/${TARGET} <<SYSCTL
net.ipv4.ip_forward=1
net.ipv4.ip_dynaddr=1
SYSCTL
mv /tmp/${TARGET} ${TARGETDIR}

echo "(should be done in /etc/sysctl.conf!)"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#----

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

TARGET=modules
TARGETDIR=/etc/
cp ${TARGETDIR}${TARGET} /tmp/
cat >> /tmp/${TARGET} <<MODULES
#---- modules needed for stateful NAT --------
ip_tables
ip_conntrack
ip_conntrack_ftp
ip_conntrack_irc
iptable_nat
ip_nat_ftp
ip_nat_irc
MODULES
sudo mv /tmp/${TARGET} ${TARGETDIR}

#----
echo "    Setting proxy server rules..."
if [ ! -d /etc/iptables ] ; then mkdir /etc/iptables ; fi

# Clearing any existing rules and setting default policy
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

# FWD: Allow all connections OUT and only existing and related ones IN
iptables -A FORWARD -i ${EXTIF} -o ${INTIF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${INTIF} -o ${EXTIF} -j ACCEPT

#--------
-A INPUT -s 172.16.1.0/28 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A INPUT -s 172.16.1.0/28 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A INPUT -s 172.16.1.0/28 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
##-A INPUT -s 172.16.1.0/28  -m state --state NEW -p tcp --dport 32803 -j ACCEPT
##-A INPUT -s 172.16.1.0/28  -m state --state NEW -p udp --dport 32769 -j ACCEPT
##-A INPUT -s 172.16.1.0/28  -m state --state NEW -p tcp --dport 892 -j ACCEPT
##-A INPUT -s 172.16.1.0/28  -m state --state NEW -p udp --dport 892 -j ACCEPT
##-A INPUT -s 172.16.1.0/28  -m state --state NEW -p tcp --dport 875 -j ACCEPT
##-A INPUT -s 172.16.1.0/28  -m state --state NEW -p udp --dport 875 -j ACCEPT
##-A INPUT -s 172.16.1.0/28  -m state --state NEW -p tcp --dport 662 -j ACCEPT
##-A INPUT -s 172.16.1.0/28 -m state --state NEW -p udp --dport 662 -j ACCEP
#--------

# Enabling SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o ${EXTIF} -j MASQUERADE

sudo iptables-save > /etc/iptables/rules.v4

echo "       Proxy server rule loading complete\n\n"