#!/bin/sh
#
# Setup IP Masquerading

LOCAL_NET=192.168.1.0/24
LOCAL_IF=eth0
EXTERNAL_IF=ppp0 
    # set this to eth0 if you've an ethernet connection to the Internet

# First, turn on forwarding (for MASQ to work)
#
echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush the existing rulesets and zero the counters.
/sbin/ipchains -F
/sbin/ipchains -Z

# Set the default forwarding policy to deny
#
/sbin/ipchains -P forward DENY

# ...and allow masquerading from any client on the wireless net
#
/sbin/ipchains -A forward -s $LOCAL_NET -j MASQ

# Specifically deny anybody claiming to be from the wireless network,
# but sending packets from the outside. (They're only up to No Good.)
# Log their efforts.
#
/sbin/ipchains -A input -s $LOCAL_NET -i $EXTERNAL_IF -l -j DENY
/sbin/ipchains -A input -d $LOCAL_NET -i $EXTERNAL_IF -l -j DENY

# Reject and log TCP SYN connection attempts on the external interface.
#
# This will keep would-be crackers from opening any TCP connections on your gateway,
# but it will also block legitimate incoming traffic to things like identd or sshd, if 
# you're running them. Fairly secure, but use with care.
#
/sbin/ipchains -A input -i $EXTERNAL_IF -p tcp -y -l -j DENY