#!/sbin/runscript

FWSCRIPT=/root/fwbuilder/www.ican.at.fw
STATESAVE=/root/fwbuilder/state-before-start

opts="start stop"

depend() {
	need logger net
}

start() {
	ebegin "Loading fwbuilder rules from $FWSCRIPT"
	        echo "#!/bin/sh" > $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/ip_forward` > /proc/sys/net/ipv4/ip_forward" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/conf/all/rp_filter` > /proc/sys/net/ipv4/conf/all/rp_filter" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/conf/all/accept_source_route` > /proc/sys/net/ipv4/conf/all/accept_source_route" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/conf/all/accept_redirects` > /proc/sys/net/ipv4/conf/all/accept_redirects" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/conf/all/log_martians` > /proc/sys/net/ipv4/conf/all/log_martians" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts` > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/icmp_echo_ignore_all` > /proc/sys/net/ipv4/icmp_echo_ignore_all" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses` > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/tcp_fin_timeout` > /proc/sys/net/ipv4/tcp_fin_timeout" >> $STATESAVE
		echo "echo `cat /proc/sys/net/ipv4/tcp_keepalive_intvl` > /proc/sys/net/ipv4/tcp_keepalive_intvl" >> $STATESAVE
		chmod 700 $STATESAVE
		$FWSCRIPT
	eend $?
}

stop() {
	ebegin "Stopping firewall and removing all rules"
		$STATESAVE

		for a in `cat /proc/net/ip_tables_names`; do
			iptables -F -t $a
			iptables -X -t $a

			if [ $a == nat ]; then
				iptables -t nat -P PREROUTING ACCEPT
				iptables -t nat -P POSTROUTING ACCEPT
				iptables -t nat -P OUTPUT ACCEPT
			elif [ $a == mangle ]; then
				iptables -t mangle -P PREROUTING ACCEPT
				iptables -t mangle -P INPUT ACCEPT
				iptables -t mangle -P FORWARD ACCEPT
				iptables -t mangle -P OUTPUT ACCEPT
				iptables -t mangle -P POSTROUTING ACCEPT
			elif [ $a == filter ]; then
				iptables -t filter -P INPUT ACCEPT
				iptables -t filter -P FORWARD ACCEPT
				iptables -t filter -P OUTPUT ACCEPT
			fi
		done
	eend $?
}