#!/bin/sh

# $Id: 99-ipppd,v 1.5 2002/05/01 20:33:02 root Exp $

# example /etc/ppp/ip-down.d script for use with ipppd and dynamic IP numbers.
# Edit / add to the entries to suit the requirements of the interface.

# Use the network to enable the IP dynamic hack to reset old connections.
# For a smaller set of dynamic numbers:
# PPP_NET=`echo $PPP_LOCAL | sed 's,\.[0-9]*$,.0/24,'`
# in case your ISP has a large pool of dynamic numbers (should be OK):
PPP_NET=`echo $PPP_LOCAL | sed 's,\.[0-9]*\.[0-9]*$,.0.0/16,'`

logger "ip-down 99-ipppd -- ip: $PPP_LOCAL dev: $PPP_IFACE"

case "$PPP_IFACE" in
    ippp0|ippp1|ppp0)
	# dyn ip route wieder zurücksetzen:
	route del -host $PPP_LOCAL $PPP_IFACE
	route add -host 10.0.0.2 $PPP_IFACE
#  		if route -n | grep '^0\.0\.0\.0' | grep -q " $PPP_IFACE" ; then
#                      # only reset default route if the
#                      # current default route is via this interface
#                      route del default
#                      #route add default netmask 0 $PPP_IFACE   # usually necessary
#                  fi
	# The next lines are for simple firewalling.
	# See comments in /etc/isdn/device.* about firewalling!
#	/sbin/ipchains -D input  -i $PPP_IFACE -p udp -s $DNS1 domain -d $ANY 1023:  -j ACCEPT
#	/sbin/ipchains -D input  -i $PPP_IFACE -p udp -s $DNS2 domain -d $ANY 1023:  -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET ssh               -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET ssh               -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET uucp              -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET uucp              -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET ntp               -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET ntp               -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET imaps             -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET imaps             -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET www               -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET www               -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET smtp              -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET smtp              -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET ftp               -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET ftp               -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET ftp-data          -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET ftp-data          -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET http              -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET http              -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET https             -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p TCP  -d $PPP_NET https             -j ACCEPT
#	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET ident             -j ACCEPT
#	/sbin/ipchains -D input  -i $PPP_IFACE -p TCP  -d $PPP_NET 1000:             -j ACCEPT
#	/sbin/ipchains -D input  -i $PPP_IFACE -p UDP  -d $PPP_NET 1024:             -j ACCEPT
	/sbin/ipchains -D input  -i $PPP_IFACE -p ICMP -d $PPP_NET                   -j ACCEPT
	/sbin/ipchains -D output -i $PPP_IFACE -p ICMP -d $PPP_NET                   -j ACCEPT

	# von mason "entdeckt"
	/sbin/ipchains -D output -i $PPP_IFACE -p tcp --sport 61000:65096 --dport www -j ACCEPT                                           # www/tcp (O) 
	/sbin/ipchains -D output -i $PPP_IFACE -p udp --sport domain --dport domain -j ACCEPT                                             # domain/udp (O) 
	/sbin/ipchains -D input  -i $PPP_IFACE -p udp --sport domain --dport domain -j ACCEPT                                             # domain/udp (I) 
	/sbin/ipchains -D output -i $PPP_IFACE -p udp --sport ntp --dport ntp -j ACCEPT                                                   # ntp/udp (O) 
	/sbin/ipchains -D input  -i $PPP_IFACE -p udp --sport ntp --dport ntp -j ACCEPT                                                   # ntp/udp (I) 
	/sbin/ipchains -D output -i $PPP_IFACE -p udp --sport 1024:65535 --dport domain -j ACCEPT                                         # domain/udp (O) 
	/sbin/ipchains -D input  -i $PPP_IFACE -p udp --sport domain --dport 1024:65535 -j ACCEPT                                         # domain/udp (I) 
	/sbin/ipchains -D output -i $PPP_IFACE -p tcp --sport 1024:65535 --dport ftp -j ACCEPT                                            # ftp/tcp (O) 
	/sbin/ipchains -D input  -i $PPP_IFACE -p tcp --sport ftp-data --dport 1024:65535 -j ACCEPT                                       # ftp-data/tcp (I) 

	;;
    *)
	;;
    # add more ipppX cases if you need them...
esac