#!/bin/sh
#
#  Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
#  License:  This script is distributed under the terms of version 2
#            of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# set up the firewall of the cryptobox
#
# called by:
#	- cbox-manage.sh during network-up
#

set -u

# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox

# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
# parse config file
. "$CONF_FILE"


ACTION="help"
[ $# -gt 0 ] && ACTION=$1

case "$ACTION" in 
	start)
		iptables -P INPUT DROP
		iptables -P FORWARD DROP
		iptables -P OUTPUT ACCEPT

		OFILE=/proc/sys/net/ipv4/tcp_syncookies
		[ -e "$OFILE" ] && echo 1 >"$OFILE"

		iptables -F
		iptables -X 
		iptables -Z

		iptables -A INPUT -i lo -j ACCEPT

		for a in $ALLOW_TCP_PORTS
		    do	iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT
		  done
		
		for a in $ALLOW_UDP_PORTS
		    do	iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT
		  done
		
		iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT
	;;
	stop)
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
		iptables -F
		iptables -X 
		iptables -Z
	;;
	*)
		echo "usage $0 start | stop"
	;;
esac