Lot to be said for consistency.

#=======
#!/usr/local/bin/tclsh
#
# iptables firewall script generator v0.1 by sphinx
# January 1st, 2001
#

set EXTERNALIF "none"
set INTERNALIF "none"

function grok_address {
  IP=`ifconfig $1 2>/dev/null| grep inet | cut -d : -f 2 | cut -d \  -f 1`
  MASK=`ifconfig $1 2>/dev/null| grep Mask | cut -d : -f 4`
  NET=`route -n | grep eth0 | grep $MASK | grep -w "U" | cut -d\  -f1`
  echo "$IP/$MASK"
}

function grok_net {
  MASK=`ifconfig $1 2>/dev/null| grep Mask | cut -d : -f 4`
  NET=`route -n | grep $1 | grep $MASK | grep -w "U" | cut -d\  -f1`
  echo "$NET/$MASK"

}

echo -n "Checking External Interface..."

if [ "`grok_interface $EXTERNALIF`" != "1" ];
 then
  echo "$EXTERNALIF unavailable. Aborting."
  export PATH=$ORIGPATH
  exit
 else
  echo "found $EXTERNALIF"
  echo "External Interface Data:"
  echo "Address: `grok_address $EXTERNALIF`"
  echo "Network: `grok_net $EXTERNALIF`"
fi

echo -n "Checking Internal Interface..."

if [ "$INTERNALIF" = "none" ];
  then
     STANDALONE="1"
     echo "None specified"
     echo "Going to Standalone Mode"                
  else                      
   if [ "`grok_interface $INTERNALIF`" != "1" ];
    then
     echo "$INTERNALIF unavailable."
     echo "Going to Standalone Mode"
     STANDALONE="1"
    else
     echo "found $INTERNALIF"
     echo "Internal Interface Data:"
     echo "Address: `grok_address $INTERNALIF`"
     echo "Network: `grok_net $INTERNALIF`"
     STANDALONE="0"
   fi
fi

if [ "$STANDALONE" = "0" ];
  then
     echo -n "Checking internal interface for RFC1918"
     declare -i DOTQUAD1                                                                    
     declare -i DOTQUAD2                                                                    

     DOTQUAD1=`grok_net $INTERNALIF | cut -f1 -d.`                                              
     DOTQUAD2=`grok_net $INTERNALIF | cut -f2 -d.`                                              
     
     if [ "$DOTQUAD1" = "10" ]; then                                  
         MASQUERADE="1"
         echo "...Class A found"      
         echo "Going to Masq Mode"
      elif [ "$DOTQUAD1" = "192" -a "$DOTQUAD2" = "168" ]; then          
         MASQUERADE="1"
         echo "...Class C found"
         echo "Going to Masq Mode"
      elif [ "$DOTQUAD1" = "172" -a $DOTQUAD2 -gt 15 -a $DOTQUAD2 -lt 32 ]; then
         MASQUERADE="1"
         echo "...Class B found"
         echo "Going to Masq Mode"
      else
         echo "...None found"
         echo "Going to Routable Mode"
         MASQUERADE="0"
     fi
fi                                                                                          

function flush_rulesets {

# No parameters

echo -n "Flushing rulesets.."

# filter table
iptables -F
echo -n "."

# nat table
iptables -t nat -F
echo -n "."

#mangle table
iptables -t mangle -F
echo -n "."

echo "Done!"

}

function masq_setup {

# Parameters: internalnet, externalnet, internal interface, external interface

echo -n "Masquerading.."

# Forward internal to external and external to internal net traffic
# from and to outside
iptables -A FORWARD -d 0/0 -s $1 -o $4 -j ACCEPT
echo -n "."
iptables -A FORWARD -d $1 -s 0/0 -i $4 -j ACCEPT
echo -n "."

# Masquerade internal to external traffic going out on the external interface
# using the nat table.
iptables -t nat -A POSTROUTING -d 0/0 -s $1 -o $4 -j MASQUERADE
echo -n "."

# Set INPUT rules in this situation
# in from internal interface
iptables -A INPUT -d $1 -s $1 -i $3 -j ACCEPT
echo -n "."
# in from outside
iptables -A INPUT -d $2 -s 0/0 -i $4 -j ACCEPT
echo -n "."

# Set OUTPUT rules in this situation
# Internal traffic out
iptables -A OUTPUT -d $1 -s $1 -j ACCEPT
echo -n "."
# Out from anywhere on internal network
iptables -A OUTPUT -d 0/0 -s $1 -j ACCEPT
echo -n "."
# Out from anywhere on external network
iptables -A OUTPUT -d 0/0 -s $2 -j ACCEPT

# set Default rule on FORWARD chain to DROP
iptables -P FORWARD DROP
echo -n "."

echo "Done!"

}

function routable_setup {

# Parameters: internalnet, externalnet

echo -n "Forwarding.."

# Forward internal-internal traffic
iptables -A FORWARD -s $1 -d $1 -j ACCEPT
echo -n "."

# Forward external interface direct
iptables -A FORWARD -s $2 -d $0/0 -j ACCEPT
echo -n "."

# Forward internal network going outside
iptables -A FORWARD -s $1 -d $1 -j ACCEPT
echo -n "."

# Forward external network going inside    
iptables -A FORWARD -s $2 -d $1 -j ACCEPT
echo -n "."

echo "Done!"

}

function loopback {

# Parameters: No parameters

echo -n "Loopback..."

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo "Done!"

}

function tos_setup {

# Parameters: No parameters

echo -n "TOS flags.."
iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport www
iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport telnet  
iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport ftp
echo -n "..."

# Set ftp-data for maximum throughput
iptables -t mangle -m tos --tos 8 -A PREROUTING -p tcp --dport ftp-data
echo -n "."

echo "Done!"

}

function outbound_setup {

# Parameters: internalnet

echo -n "Outbound connections.."
iptables -A INPUT -s $1 -d 0/0 -j ACCEPT  
iptables -A OUTPUT -s $1 -d 0/0 -j ACCEPT
echo -n ".."

echo "Done!"

}

function standard_rules {

# Parameters: target, standalone, internalif

# ---------------------------------------------------------- Trusted Networks -
# Add in any rules to specifically allow connections from hosts/nets that
# would otherwise be blocked.

# echo -n "Trusted Networks.."

# iptables -A INPUT -p <protocol> -<d/s>port <ports> -s [trusted host/net] -d $1 -j ACCEPT
# echo -n "."

# echo "Done!"

# ----------------------------------------------------------- Banned Networks -
# Add in any rules to specifically block connections from hosts/nets that
# have been known to cause you problems. These packets are logged.

## echo -n "Banned Networks.." not adjusted to iptables yet

# This one is generic
# iptables -A INPUT -l -s [banned host/net] -d $1 <ports> -j DROP
# echo -n "."

# This one blocks ICMP attacks
# iptables -A INPUT -l -b -i $LOCALIF -p icmp -s [host/net] -d $1 -j DROP
# echo -n "."

# echo "Done!"

# ------------------------------------------------------ @home-specific rules -
# This @home stuff is pretty specific to me (terminus).  I get massive port
# scans from my neighbors and from pokey admins at @home, so I just got harsh
# and blocked all their stuff, with a few exceptions, listed below.
#
# If someone out there finds out the ip ranges of JUST tci@home, let me know
# so i don't end up blocking ALL cablemodems like it's doing now.

echo -n "Cable Modem Nets.."

# so we can check mail, use the proxy server, hit @home's webpage.
# you will want to set these to your local servers, and uncomment them

# iptables -A INPUT -p tcp -dport 1023:65535 -s ha1.rdc1.wa.home.com -d $1 -j ACCEPT
# iptables -A INPUT -p tcp -dport 1023:65535 -s mail.tcma1.wa.home.com -d $1 -j ACCEPT
# iptables -A INPUT -p tcp -dport 1023:65535 -s www.tcma1.wa.home.com -d $1 -j ACCEPT
# iptables -A INPUT -p tcp -dport 1023:65535 -s proxy.tcma1.wa.home.com -d $1 -j ACCEPT
# echo -n "...."

# so we can resolve the above hostnames, allow dns queries back to us
# iptables -A INPUT -p tcp -dport 1023:65535 -s ns1.home.net -d $1 -j ACCEPT
# iptables -A INPUT -p tcp -dport 1023:65535 -s ns2.home.net -d $1 -j ACCEPT
# iptables -A INPUT -p udp -dport 1023:65535 -s ns1.home.net -d $1 -j ACCEPT
# iptables -A INPUT -p udp -dport 1023:65535 -s ns2.home.net -d $1 -j ACCEPT
# echo -n ".."

# linux iptables building script page (I think)
# iptables -A INPUT -p tcp -dport 1023:65535 -s 24.128.61.117 -d $1 -j  ACCEPT
# echo -n "."

# Non-@home users may want to leave this uncommented, just to block all
# the wannabe crackers. Add any @home hosts you want to allow BEFORE this line.

# Blast all other @home connections into infinity and log them.
# iptables -A INPUT -s 24.0.0.0/8 -d $1 -j LOG
# iptables -A INPUT -s 24.0.0.0/8 -d $1 -j DROP
# echo -n "."

# Nuke any connections from @home's portscanners (ops-scan.home.com)
# Note: These are a moving target - apply locally as required.
iptables -A INPUT -s 24.0.84.130 -d $1 -j LOG
iptables -A INPUT -s 24.0.84.130 -d $1 -j DROP
echo -n "."

echo "Done!"

# ---------------------------- Specific port blocks on the external interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these services
# within your network. Connections to these ports are logged to syslog.

echo -n "Port Blocks.."
 
# NetBEUI/Samba
iptables -A INPUT -p tcp --dport 137:139 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 137:139 -s 0/0 -d $1 -j DROP
echo -n "."

# Line Printer Daemon (courtesy of Blair Steenerson <blair@steenerson.com>)
iptables -A INPUT -p tcp --dport 515 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 515 -s 0/0 -d $1 -j DROP
echo -n "."

# Microsoft SQL
iptables -A INPUT -p tcp --dport 1433 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 1433 -s 0/0 -d $1 -j DROP
echo -n "."

# Postgres SQL

iptables -A INPUT -p tcp --dport 5432 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 5432 -s 0/0 -d $1 -j DROP
echo -n "."

# Network File System
iptables -A INPUT -p tcp --dport 2049 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 2049 -s 0/0 -d $1 -j DROP
echo -n "."

# MySQL
iptables -A INPUT -p tcp --dport 3306 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 3306 -s 0/0 -d $1 -j DROP
echo -n "."

# X Displays
iptables -A INPUT -p tcp --dport 5999:6010 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 5999:6010 -s 0/0 -d $1 -j DROP
echo -n "."

# X Font Server :0-:2-
iptables -A INPUT -p tcp --dport 7100:7101 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 7100:7101 -s 0/0 -d $1 -j DROP
echo -n "."

# Back Orifice (logged)
iptables -A INPUT -p tcp --dport 31337 -s 0/0 -d $1 -j LOG
iptables -A INPUT -p tcp --dport 31337 -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 31337 -s 0/0 -d $1 -j LOG
iptables -A INPUT -p udp --dport 31337 -s 0/0 -d $1 -j DROP
echo -n "."

# NetBus (logged)
iptables -A INPUT -p tcp --dport 12345:12346  -s 0/0 -d $1 -j LOG
iptables -A INPUT -p tcp --dport 12345:12346  -s 0/0 -d $1 -j DROP
iptables -A INPUT -p udp --dport 12345:12346  -s 0/0 -d $1 -j LOG
iptables -A INPUT -p udp --dport 12345:12346  -s 0/0 -d $1 -j DROP
echo -n "."

echo "Done!"

# --------------------------------------------------- High Unprivileged ports -
# These are opened up to allow sockets created by connections allowed by
# iptables

echo -n "High Ports.."

iptables -A INPUT -p tcp --dport 1023:65535 -s 0/0 -d $1 -j ACCEPT
iptables -A INPUT -p udp --dport 1023:65535 -s 0/0 -d $1 -j ACCEPT
echo -n "."

echo "Done!"

# ------------------------------------------------------------ Basic Services -

echo -n "Services.."

# ftp-data (20) and ftp (21)
#iptables -A INPUT -p tcp --dport 20 -s 0/0 -d $1 -j ACCEPT
#iptables -A INPUT -p tcp --dport 21 -s 0/0 -d $1 -j ACCEPT
#echo -n ".."

# ssh (22)
iptables -A INPUT -p tcp --dport 22 -s 0/0 -d $1 -j ACCEPT
echo -n "."

# telnet (23)
# iptables -A INPUT -p tcp --dport 23 -s 0/0 -d $1 -j ACCEPT
# echo -n "."

# smtp (25)
# iptables -A INPUT -p tcp --dport 25 -s 0/0 -d $1 -j ACCEPT
# echo -n "."

# DNS (53)
#iptables -A INPUT -p tcp --dport 53 -s 0/0 -d $1 -j ACCEPT
#iptables -A INPUT -p udp --dport 53-s 0/0 -d $1 -j ACCEPT
#echo -n ".."

if [ "$2" != "1" ]; then
#  DHCP on LAN side (to make @Home DHCP work) (67/68)
#  iptables -A INPUT -i $3 -p udp --dport 67 -s 0/0 -d 255.255.255.255/24 -j ACCEPT
#  iptables -A OUTPUT -i $3 -p udp --dport 68 -s 0/0 -d 255.255.255.255/24 -j ACCEPT
echo -n ".."
fi

# http (80)
#iptables -A INPUT -p tcp --dport 80 -s 0/0 -d $1 -j ACCEPT
#echo -n "."

# POP-3 (110)
# iptables -A INPUT -p tcp --dport 110 -s 0/0 -d $1 -j ACCEPT
# echo -n "."

# identd (113)
#iptables -A INPUT -p tcp --dport 113 -s 0/0 -d $1 -j ACCEPT
#echo -n "."

# nntp (119)
# iptables -A INPUT -p tcp --dport 119 -s 0/0 -d $1 -j ACCEPT
# echo -n "."

# https (443)
# iptables -A INPUT -p tcp --dport 443 -s 0/0 -d $1 -j ACCEPT
# echo -n "."

# ICQ Services (it's a server service) (4000)
# iptables -A INPUT -p tcp  --dport 4000 -s 0/0 -d $1 -j ACCEPT
# echo -n "."

echo "Done!"

# ---------------------------------------------------------------------- ICMP -

echo -n "ICMP Rules.."

# Use this to DROP ICMP attacks from specific addresses
# iptables -A INPUT -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DROP
# echo -n "."

# Allow incoming ICMP
iptables -A INPUT -p icmp -s 0/0 -d $1 -j ACCEPT
echo -n ".."

# Allow outgoing ICMP
iptables -A OUTPUT -p icmp -s $1 -d 0/0 -j ACCEPT
echo -n "...."

echo "Done!"

}

function reset_policy {

# Parameters: no parameters

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

}

function set_policy {

# Parameters: no parameters

iptables -P INPUT DROP
iptables -P OUTPUT DROP
 
}

function set_timeouts {

# Parameters: no parameters
# not adjusted for iptables yet

echo -n "Setting iptables timeout for tcp tcpfin udp.. "                          
#iptables -M -S 3600 150 1000                                                      
echo "Done!"                                                                  

}

reset_policy
flush_rulesets

if [ "$STANDALONE" = "1" ];
 then
  TARGET=`grok_net $EXTERNALIF`
 else
  if [ "$MASQUERADE" = "1" ];
   then
    TARGET=`grok_address $EXTERNALIF`
    INTERNALNET=`grok_net $INTERNALIF`
    EXTERNALNET=`grok_net $EXTERNALIF`
    set_timeouts
    masq_setup $INTERNALNET $TARGET $INTERNALIF $EXTERNALIF
   else
    TARGET=`grok_net $INTERNALIF`
    INTERNALNET=`grok_net $INTERNALIF`
    EXTERNALNET=`grok_net $EXTERNALIF`
    outbound_setup $INTERNALNET
    routable_setup $INTERNALNET $EXTERNALNET
  fi
fi

tos_setup
loopback
standard_rules $TARGET $STANDALONE $INTERNALIF
#configure_vpn $INTERNALNET $EXTERNALNET
set_policy


export PATH=$ORIGPATH
exit