#!/bin/sh
#
# 3iptables-ppp_up-rules, v0.6 03/09/2003.
# Kiryanov Vasiliy, mailto://root@lycos.ru
#
# Thanks: Uwe Zeisberger - rfc1918 violating fix; 
#
# Many people use ppp to connect to the InterNet, this script set BASIC
# firewall (iptables) rules to protect you machine from crackers.
# For good protect read iptables(8) manual and tune this script! 

# FOR USAGE:
# put 3iptables-ppp_up-rules script in /etc/ppp/ip-up.d
# put 3iptables-ppp_down-rules script in /etc/ppp/ip-down.d
# check: scripts owned by root.root and have mode 700. 

# If you find some errors or missing write me: root@lycos.ru
#--------------------------------------------------------------

# check if iptables exist and have kernel support
test -x /sbin/iptables || exit 1
/sbin/iptables --list --numeric >/dev/null 2>&1
test $? -eq 0 || exit 1

# When started pppd it call ip-up, which set variables and uses run-parts
# to run scripts in /etc/ppp/ip-up.d, one of which is that.

# ip-up set this variables, so we don't need to do it:
#      Var            Name                     Example
#   PPP_IFACE    Interface name                 ppp0
#   PPP_TTY      The tty                        ttyS1
#   PPP_SPEED    The link speed                 38400
#   PPP_LOCAL    Local IP number                12.34.56.78
#   PPP_REMOTE   Peer  IP number                12.34.56.99
#   PPP_IPPARAM  Optional ``ipparam'' value     foo

#   PPP_TTYNAME  Tty name stripped of /dev/ (if present) for easier matching

# PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

#Set variables for handy manipulation
#MY_ISP="217.21.59.0/24"    # set your ISP address range !!
#--------------------------------------------------------------
LOOPBACK_INTERFACE="lo"    # loopback interface
LOOPBACK="127.0.0.0/8"     # loopback interface address
CLASS_A="10.0.0.0/8"       # class A addresses
CLASS_B="172.16.0.0/12"    # class B addresses
CLASS_C="192.168.0.0/16"   # class C addresses
CLASS_D="224.0.0.0/4"      # MULTICAST
CLASS_E="240.0.0.0/5"      # RESERVED
BROADCAST_SRC="0.0.0.0"         # broadcast source address
BROADCAST_DST="255.255.255.255" # broadcast destination address
PRIVATE_PORTS="0:1023"          # your computer private ports
#--------------------------------------------------------------

#Save iptables exist rulesets, we restore them after PPP interface down!

# disable `root group` and `other users` access 
umask 066
# protect against symbolic link attack
test ! -e /tmp/3iptables-ppp_up-SAVE || rm -f /tmp/3iptables-ppp_up-SAVE 
# save exist ruleset
/sbin/iptables-save > /tmp/3iptables-ppp_up-SAVE


#INPUT RULESET

# block packets that go on your computer private ports [your computer ISN'T SERVER]
# it's give you real safe InerNet surfing without services software upgrade!!
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --protocol tcp \
--destination-port $PRIVATE_PORTS --jump DROP

# block packets with your source ip-address [you can't send packets yourself]
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $PPP_LOCAL --jump DROP
# block packets with LOOPBACK source address
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $LOOPBACK --jump DROP
# block classes A,B,C,D,E address range [it's can't come from InterNet]
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_A --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_B --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_C --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_D --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $CLASS_E --jump DROP
# block packets with multicast source and destination addresses
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $BROADCAST_SRC --jump DROP
/sbin/iptables --append INPUT --in-interface $PPP_IFACE --destination $BROADCAST_DST --jump DROP
# ISP block, WITHOUT Peer IP number [we work through it]
#/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $PPP_REMOTE --jump ACCEPT
#/sbin/iptables --append INPUT --in-interface $PPP_IFACE --source $MY_ISP --jump DROP

#OUTPUT RULESET 
# I can send anything I want, are you ? 

#FORWARD RULESET
# block packets that send to you for FORWARDING.
/sbin/iptables --policy FORWARD DROP

#
# try '# ifconfig' to see if your ppp interface all right
# try '# iptables --list --verbose' to see if all rules right 
