#!/bin/sh

# Inicializace databaze modulu
/sbin/depmod -a

# Zavedeme moduly pro nestandardni cile
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

# Modul pro FTP prenosy
/sbin/modprobe ip_conntrack_ftp

# Vypneme routovani paketu - neni potreba
echo "0" > /proc/sys/net/ipv4/ip_forward

# rp_filter na zamezeni IP spoofovani
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo "1" > ${interface}
done

# Implicitni politikou je zahazovat nepovolene pakety
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Povolime vsechen provoz, ktery neprichazi z Internetoveho rozhrani
iptables -A INPUT -i ! ppp+ -j ACCEPT

# Stavovy firewall pro propousteni navazanych spojeni
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Vsechno ostatni logujeme
iptables -A INPUT -j LOG --log-prefix "INPUT drop: "