#!/usr/bin/perl
#
# Generic ipchains frontend.
# (Prompt tuning enabled).
# Version 0.0.1.
#
# Author: Cody Tubbs (loophole of hhp);
# Site:   www.hhp-programming.net;
# Date:   12/24/2000;
# Happy christmas eve.
########################################

#Server tuning. (edit if needed).
$CH="/sbin/ipchains";

#Don't edit below here unless you know what you're doing.
#Script dependancies.
$INTERFACE="ppp0"; #Note: prompted for within execution.
$A=0;$B=0;
$I="input";
$O="output";


print "(-GenChains-) " . "hhp-genchains Author: Cody Tubbs (loophole of hhp)" .
 "\n";
print "(-GenChains-) " . "www.hhp-programming.net / pigspigs\@yahoo.com" . "\n"
;
print "(-GenChains-) " . "\n";

#interface setup / ifconfig manipulation / ip,mask defining.
print "(-GenChains-) " . "Prompt for an interface other than default ppp0? [y/n
]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[yY]/){   
 $B=1;
}

if($B==1){
 print "(-GenChains-) " . "What interface do you want to use? [ppp0/eth0/other]
 ";
 $INTERFACE=<STDIN>;chomp($INTERFACE);
 if( ($INTERFACE=~/^ppp0$/) || ($INTERFACE=~/^eth0$/) ){
  print "(-GenChains-) " . "Using interface" . $INTERFACE . "." . "\n";
 }else{
  print "(-GenChains-) " . "Using interface" . $INTERFACE . "." . "\n";
 }
 $B=0;
}

$LOIP=`ifconfig $INTERFACE | grep inet | sed s^:^" "^  | awk '{print \$3}'`;
$LOMA=`ifconfig $INTERFACE | grep Mask | sed s^:^" "^g | awk '{print \$7}'`;
chomp($LOIP);
chomp($LOMA);
$LNET = $LOIP . "/" . $LOMA;
$RNET = $A . "/" . $A;
print "(-GenChains-) " . "Using interface " . "($INTERFACE)" . ": " . $LNET . "
\n";

#Ruleset flushing.
print "(-GenChains-) " . "Flushing input/output ipchain settings... ";
`$CH -F`;
print " complete.\n";

#lo setup.
print "(-GenChains-) " . "Setting up loopback... ";
`$CH -A $I -i lo -s $RNET -d $RNET -j ACCEPT`;
`$CH -A $O -i lo -s $RNET -d $RNET -j ACCEPT`;
print " complete.\n";

#TOS tuning.
print "(-GenChains-) " . "Setting up TOS flags... ";
@TOS = ("www", "telnet", "ftp");
foreach $ts (@TOS){
 print "$ts, ";
 `$CH -A $O -p tcp -d $RNET $ts -t 0x01 0x10`;
}
print "ftp-data... ";
`$CH -A $O -p tcp -d $RNET ftp-data -t 0x01 0x08`;
print " complete.\n";

#Port tuning.
print "(-GenChains-) " . "Tuning ports...\n";
print "(-GenChains-) " . "Block ftp-data and ftp? [y/n]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[yY]/){
 `$CH -A $I -l -p tcp -s $RNET -d $LNET 20 -j DENY`;
 `$CH -A $I -l -p tcp -s $RNET -d $LNET 21 -j DENY`;
}else{
 print "(-GenChains-) " . "skipping ftp-data and ftp blockage.\n";
}

#Note: advanced users modify below arrays if you feel the need for expansion.
@service =("telnet", "smtp", "DNS", "http", "pop", "ident", "nntp", "samba", "i
map", "https", "NFS",
             "X Display", "XFS", "BO", "netbus", "ICQ");
@servport=("23", "25", "53", "80", "110", "113", "119", "139", "143", "443", "2
049", "5999:6003", "7100",
             "31337", "12345:12346", "4000");
$num=0;
foreach $rule (@service){
 print "(-GenChains-) " . "Deny $service[$num]:$servport[$num]? [y/n]: ";
 $ANS=<STDIN>;chomp($ANS);
 if($ANS=~/^[yY]/){
  print "(-GenChains-) " . "Denying $service[$num]:$servport[$num].\n";
  `$CH -A $I -l -p tcp -s $RNET -d $LNET $servport[$num] -j DENY`;
 }else{
  print "(-GenChains-) " . "Accepting $service[$num]:$servport[$num].\n";
  `$CH -A $I -l -p tcp -s $RNET -d $LNET $servport[$num] -j ACCEPT`;
 }
 $num++;
}

#ICMP/IGMP tuning.
print "(-GenChains-) " . "Setting up ICMP/IGMP...\n";
print "(-GenChains-) " . "Allow incoming ICMP? [y/n]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[nN]/){
 print "(-GenChains-) " . "Blocking incoming ICMP.\n";
 `$CH -A $I -l -p icmp -s $RNET -d $LNET -j DENY`;
}else{
 `$CH -A $I -l -p icmp -s $RNET -d $LNET -j ACCEPT`;
 print "(-GenChains-) " . "Accepting incoming ICMP.\n";
}
print "(-GenChains-) " . "Allow outgoing ICMP? [y/n]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[nN]/){
 print "(-GenChains-) " . "Blocking outgoing ICMP.\n";
 `$CH -A $O -l -p icmp -s $RNET -d $LNET -j DENY`;
}else{
 `$CH -A $O -l -p icmp -s $RNET -d $LNET -j ACCEPT`;
 print "(-GenChains-) " . "Accepting outgoing ICMP.\n";
}
print "(-GenChains-) " . "Allow incoming IGMP? [y/n]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[nN]/){
 print "(-GenChains-) " . "Blocking incoming IGMP.\n";
 `$CH -A $I -l -p igmp -s $RNET -d $LNET -j DENY`;
}else{
 `$CH -A $I -l -p igmp -s $RNET -d $LNET -j ACCEPT`;
 print "(-GenChains-) " . "Accepting incoming IGMP.\n";
}
print "(-GenChains-) " . "Allow outgoing IGMP? [y/n]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[nN]/){
 print "(-GenChains-) " . "Blocking incoming IGMP.\n";
 `$CH -A $O -l -p igmp -s $RNET -d $LNET -j DENY`;
}else{
 `$CH -A $O -l -p igmp -s $RNET -d $LNET -j ACCEPT`;
 print "(-GenChains-) " . "Accepting incoming IGMP.\n";
}

print "(-GenChains-) " . "Prompt for trusted host[/net] tuning? [y/n]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[yY]/){
 &TRUST;
}

print "(-GenChains-) " . "Prompt for banned host[/net] tuning? [y/n]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[yY]/){
 &BANNED;
}

print "(-GenChains-) " . "Prompt for ICMP host[/net] blocking? [y/n]: ";
$ANS=<STDIN>;chomp($ANS);
if($ANS=~/^[yY]/){
 &ICMP;
}

print "(-GenChains-) " . "firewall setup complete, " . "use '$CH -L' for rulese
t info!\n";

sub TRUST(){
 print "(-GenChains-) " . "What trusted host[/net], (Example: 4.21.3.1/24)? ";
 $HOSTNET=<STDIN>;chomp($HOSTNET);
 print "(-GenChains-) " . "What port(s), (use ':' to seperate inline sequences)
? ";
 $PORT=<STDIN>;chomp($PORT);
 print "(-GenChains-) " . "What protocol, (Example: tcp)? ";
 $PROTO=<STDIN>;chomp($PROTO);
 print "(-GenChains-) " . "Allowing " . $HOSTNET . ":" . $PORT . "\n";
 `$CH -A $I -l -p $PROTO -s $HOSTNET -d $LNET $PORT -j ACCEPT`;
 print "(-GenChains-) " . "Prompt for more? [y/n]: ";
 $ANS=<STDIN>;chomp($ANS);
 if($ANS=~/^[yY]/){
  &TRUST;
 }
}

sub BANNED(){
 print "(-GenChains-) " . "What banned host[/net], (Example: 4.21.3.13)? ";
 $HOSTNET=<STDIN>;chomp($HOSTNET);
 print "(-GenChains-) " . "What port(s), (use ':' to seperate inline sequences)
? ";
 $PORT=<STDIN>;chomp($PORT);
 print "(-GenChains-) " . "What protocol, (Example: tcp)? ";
 $PROTO=<STDIN>;chomp($PROTO);
 print "(-GenChains-) " . "Banning " . $HOSTNET . ":" . $PORT . "\n";
 `$CH -A $I -l -p $PROTO -s $HOSTNET -d $LNET $PORT -j DENY`;
 print "(-GenChains-) " . "Prompt for more? [y/n]: ";
 $ANS=<STDIN>;chomp($ANS);
 if($ANS=~/^[yY]/){
  &BANNED;
 }
}

sub ICMP(){
 print "(-GenChains-) " . "What banned host[/net], (Example: 4.21.3.13)? ";
 $HOSTNET=<STDIN>;chomp($HOSTNET);
 print "(-GenChains-) " . "Blocking ICMP attack from " . $HOSTNET . "\n";
 `$CH -A $I -l -b -i $INTERFACE -p icmp -s $HOSTNET -d $LNET $PORT -j DENY`;  
 print "(-GenChains-) " . "Prompt for more? [y/n]: ";
 $ANS=<STDIN>;chomp($ANS);
 if($ANS=~/^[yY]/){
  &ICMP;
 }
}