#!/bin/sh

# $Id: 00-ipppd,v 1.4 2002/05/01 20:32:49 root Exp $

# example /etc/ppp/ip-up.d script for use with ipppd and dynamic IP numbers.
# Edit / add to the entries to suit the requirements of the interface.

# Use the network to enable the IP dynamic hack to reset old connections
# (otherwise the RST-provoking packet can't get out).
# For a smaller set of dynamic numbers:
# PPP_NET=`echo $PPP_LOCAL | sed 's,\.[0-9]*$,.0/24,'`
# in case your ISP has a large pool of dynamic numbers (should be OK):
PPP_NET=`echo $PPP_LOCAL | sed 's,\.[0-9]*\.[0-9]*$,.0.0/16,'`


# route  [-v]  [-A family] add [-net|-host] target [netmask Nm] [gw Gw] 
# [metric N] [mss M] [window W] [irtt I] [reject] [mod] [dyn] [reinstate] [[dev] If]

logger "ip-up 00-ipppd -- dev: $PPP_IFACE dns1: $DNS1 ppp_net: $PPP_NET"

case "$PPP_IFACE" in
    ippp0|ippp1|ppp0)
	#route del default
	#route add default netmask 0 $PPP_IFACE	# usually necessary
	#route add default netmask 0 gw $PPP_REMOTE dev $PPP_IFACE
	#
	# The next lines are for additional firewalling rules.
	# See comments in /etc/isdn/device.* about firewalling!
#	/sbin/ipchains -D input -l -j DENY
	/sbin/ipchains -D input  -i $PPP_IFACE     -j DENY 2>/dev/null

#	/sbin/ipchains -A input  -i $PPP_IFACE -p udp -s $DNS1 domain -d $ANY 1023:  -j ACCEPT
#	/sbin/ipchains -A input  -i $PPP_IFACE -p udp -s $DNS2 domain -d $ANY 1023:  -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET ssh               -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET ssh               -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET uucp              -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET uucp              -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET ntp               -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET ntp               -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET imaps             -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET imaps             -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET www               -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET www               -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET smtp              -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET smtp              -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET ftp               -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET ftp               -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET ftp-data          -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET ftp-data          -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET http              -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET http              -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET https             -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p TCP  -d $PPP_NET https             -j ACCEPT
#	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET ident             -j ACCEPT
#	/sbin/ipchains -A input  -i $PPP_IFACE -p TCP  -d $PPP_NET 1000:             -j ACCEPT
#	/sbin/ipchains -A input  -i $PPP_IFACE -p UDP  -d $PPP_NET 1024:             -j ACCEPT
	/sbin/ipchains -A input  -i $PPP_IFACE -p ICMP -d $PPP_NET                   -j ACCEPT
	/sbin/ipchains -A output -i $PPP_IFACE -p ICMP -d $PPP_NET                   -j ACCEPT

	# von mason "entdeckt"
	/sbin/ipchains -A output -i $PPP_IFACE -p tcp --sport 61000:65096 --dport www -j ACCEPT                                           # www/tcp (O) 
	/sbin/ipchains -A output -i $PPP_IFACE -p udp --sport domain --dport domain -j ACCEPT                                             # domain/udp (O) 
	/sbin/ipchains -A input  -i $PPP_IFACE -p udp --sport domain --dport domain -j ACCEPT                                             # domain/udp (I) 
	/sbin/ipchains -A output -i $PPP_IFACE -p udp --sport ntp --dport ntp -j ACCEPT                                                   # ntp/udp (O) 
	/sbin/ipchains -A input  -i $PPP_IFACE -p udp --sport ntp --dport ntp -j ACCEPT                                                   # ntp/udp (I) 
	/sbin/ipchains -A output -i $PPP_IFACE -p udp --sport 1024:65535 --dport domain -j ACCEPT                                         # domain/udp (O) 
	/sbin/ipchains -A input  -i $PPP_IFACE -p udp --sport domain --dport 1024:65535 -j ACCEPT                                         # domain/udp (I) 
	/sbin/ipchains -A output -i $PPP_IFACE -p tcp --sport 1024:65535 --dport ftp -j ACCEPT                                            # ftp/tcp (O) 
	/sbin/ipchains -A input  -i $PPP_IFACE -p tcp --sport ftp-data --dport 1024:65535 -j ACCEPT                                       # ftp-data/tcp (I) 

	/sbin/ipchains -A input  -i $PPP_IFACE     -j DENY
#	/sbin/ipchains -A input   -l -j DENY
	;;
    *)
	;;
    # add more ipppX cases if you need them...
esac