#!/bin/sh
# $Id$
#
# set up the firewall of the cryptobox
#
# called by:
#	- cbox-manage.sh during network-up
#

set -u

# parse config file
. /etc/cryptobox/cryptobox.conf


ACTION="help"
[ $# -gt 0 ] && ACTION=$1

case "$ACTION" in 
	start)
		iptables -P INPUT DROP
		iptables -P FORWARD DROP
		iptables -P OUTPUT ACCEPT

		OFILE=/proc/sys/net/ipv4/tcp_syncookies
		[ -e "$OFILE" ] && echo 1 >"$OFILE"

		iptables -F
		iptables -X 
		iptables -Z

		iptables -A INPUT -i lo -j ACCEPT

		for a in $ALLOW_TCP_PORTS
		    do	iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT
		  done
		
		for a in $ALLOW_UDP_PORTS
		    do	iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT
		  done
		
		iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT
	;;
	stop)
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
		iptables -F
		iptables -X 
		iptables -Z
	;;
	*)
		echo "usage $0 start | stop"
	;;
esac