# rules_SNATpriv2pub_3.sh
# and the README.html is based on this script
# Copyright (C) 2016 Miroslav Rovis, <http://www.CroatiaFidelis.hr/>
# released under BSD license, see LICENSE, or assume general BSD license,
# meaning you can do basically anything with these scripts and data except
# claim that you wrote them/made them
# See rules_SNATpriv2pub.sh and rules_SNATpriv2pub_2.sh from which this script
# is a continuation.
# I mean, if you parachuted here from a search engine or some link, pls.
# understand: I've been studying to do this for many weeks, and I finally
# succeeded, I've already posted about this in various places, and already
# had, while I wasn't hoping to succeed, two more previous stages of my tries
# prepared for posting. And I'm not rewriting those, there's too much to
# explain. So don't expect to understand this final successful Linux router
# deployment of mine, without reading this final stage and the previous ones,
# in this same directory, and linked to other places from here where necessary.
# But, as I said, I have successfully set up the SNAT'ing with this script, and
# this script and these network traces and screencast show that: 
# Linux router that controls your own private network (instead of the ZXDSL
# controling it) and gets all the conversations for its private network via
# ZXDSL is possible!
# Now: I wasn't able to find any instructions on getting a Linux router to work
# with a locking-user-out-to-privateland-IPs Chinese modem/router.
# If only I could speak Polish! And Russian is such a beautiful language
# (because I found some pages in Russian and Polish about some ZTE ZXDSL Linux
# router, port forwarding and some such, just: I couldn't understand them)...
# And sure Chinese is such a fine language!! If only I spoke Chinese!...
# I do speak Italian and could, though my Italian has rusted a bit of late
# through lack of use but I could, write this in Italian (but the Italians
# wouldn't need this as their routers do not NAT their home users the
# hide-their-public-IP way)...
# And I'm really annoyed that English is the only lingua franca of the world.
# Exampli gratia in my region of the world German was the lingua franca, such
# that my ancestors in Croatia, or the neighboring Slovenia, Hungary, and
# Slovakia and Chechia, some Italians too, and among them those who spoke any
# second language it was mostly German their second, and I really like German
# much better than English...  So much that I've restarted learning it (I knew
# a little 40 ys ago).
# But nobody anywhere wrote in this getting-me-bored-with-itself but the only
# lingua franca of the world, in English, nobody in Russia, nor anybody in
# Poland, where I duckduck searched and found ZTE ZXDSL modem/router's are in
# use, nobody in the countries where ZTE ZXDSL series is deployed, and it
# appears to be mostly in Eastern European countries, appart from China and
# likely other Asian countries... Nobody wrote a report/tutorial in English how
# to get this modem/router to work when a Linux router wants to dispense the
# internet it gets from it further to hosts under it.
# I managed to get ZXDSL to allow my Gentoo Linux router to serve other
# machines on my SOHO, so they can get to internet.
# I sure could have simply plugged into another of the available ports of
# ZXDSL's any of my other machines, such as Vista, or a Devuan
# (
) that I intend to build, could have just plugged any
# of those other machines into a port on the ZXDSL's. But using any M$ system
# or even building a FOSS/GNU system is a risk in this country (and I'm sure in
# other places such as Putinist neostalinist Russia; Poland is finally better
# off, but not out of trouble yet...).
# Since Croatia is a country with really terribly mass brainwashing media in
# which the covertly-greater-Serbia-oriented Milanović (approx. 50% of the
# ministers in his government, in their former 4-yr term, were ethnic Serbs)
# now pretends patriotism, and they threaten to fake elections to come to power
# again...
# These bad people could, by means of election engineering, by actually total
# election fraud (it has already happened in the elections of 2015), having
# they with sly means already gained total control of the electronic center
# where the votes are counted which goes by the name of "Apis", [these bad
# people could], [by fraud], come to power again. Well I truly hope they won't
# but, by fraud unchecked, and the media heavy really heavy brainwashing (the
# latter is happening massively in mainstream), they could.
# And in such country where Milanović's postcommunist party would again
# exercize such firm grip on the media and would control election counting,
# freedom would be eroded for real, [and in such country] to be safe online
# without some true hardening of your machine and without your own control of
# your connections, to be safe online is not possible! It is safe for you,
# sure, if you live without brains and nobody touches you, but it is not if you
# are an uncompromizing Croat and are aware of Croatian history and care for
# true Croatian Independence, and are against greater-Serbians covertly
# retaining power in Croatia, like I am.
# So, if I want to use M$ Vista to do something online, or build me a Devuan
# system, no way am I safe without protecting myself via my own total control
# over my connections: M$ I don't trust, and while Devuan I will trust, but
# only after I build in it what I have in my Gentoo: grsecurity-hardened kernel
# and very good capability to trace anything that happens in my machine when I
# go online. And those do not come preinstalled with Devuan.
# I'm sure people in the aforementioned East European countries have a definite
# need for more safety as well, and those do not come with a router gutted out
# of the mirror configuration as my ZXDSL (pls. see:
# where I'll try and get, in that topic, a few tips in English, or a link there
# to some translation of what I wrote there, so people can find it, but in the
# meantime, open that page and search for, without quotes, "mirror
# configuration", to see what I mean, and read how to get the ZXDSL's manual in
# the previous documents in this directory).
# And now I present the script that I ran on my g0n machine (the general setup
# is the same as in README_tent1.html and README_tent2.html, just grsecurity
# RBAC didn't need to be disabled). Again, you have to read the documented
# previous steps to understand.
# vars

echo "cat /proc/sys/net/ipv4/ip_forward :"
cat /proc/sys/net/ipv4/ip_forward
read FAKE

echo " * flushing old rules"
$ipt -X
$ipt -F
read FAKE

echo " * flushing the nat table"
$ipt -t nat -X
$ipt -t nat -F
read FAKE

echo " * flushing the raw table"
$ipt -t raw -X
$ipt -t raw -F
read FAKE

echo " * flushing the mangle table"
$ipt -t mangle -X
$ipt -t mangle -F
read FAKE


# Here the main change:


iptables -P INPUT ACCEPT

iptables -A INPUT -s -j LOG --log-prefix mrfw_srv --log-level 7
iptables -A INPUT -s -j DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j LOG --log-prefix mrfw --log-level 7
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix mrfw --log-level 7
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $lan2_if -m state --state ESTABLISHED,RELATED -j LOG --log-prefix mrfw --log-level 7
iptables -A FORWARD -i $lan2_if -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $lan1_if -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix mrfw --log-level 7
iptables -A FORWARD -i $lan1_if -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o $lan2_if -j LOG --log-prefix mrfw_snat --log-level 7
iptables -t nat -A POSTROUTING -o $lan2_if -j SNAT --to-source $lan2_ip

# And the result, all that happened, can be seen in the traffic dumps from g0n
# and gcn. gcn has the accompanying screencast as well, and the SSL keys (that
# decrypt both dumps). I explained/linked how to decrypt SSL conversations in
# previous stages as well. There is nothing really in the ZTE logs, see for
# yourself.
# Remains to figure out those iptables lines on the "wansrcnat" chain that were
# not of my own doing, but it's not urgent. I'll tell you one thing: I'm not
# touching any of the documents of the previous stages that I already wrote.
# I'll only sanitize them for data that must not be published, such as my
# ZXDSL931VII serial number (even though that router advertizes itself to
# everybody, so no big deal...
# --Ah! A piece of advice for the readers: once you get the admin password (in
# Croatia it is all about that at the breach of the ZXDSL topic, linked in a
# few places), if it is set to your ZXDSL's serial, change that admin
# password!--
# ), passwords and maybe a few more things.  (Well
# maybe I'll also have to correct some gross typoes or include what I said I
# would and give some links... when I find time. I'm exhausted with all these
# tries, and need rest... Patience if things are missing... I had postponed
# lots of other stuff to work on this, and those are waiting for me...). As far
# as MAC addresses of all my own etherware
# goes, 
# accomodates so kindly with
# and more. They're all fake ;-) !
# Just, back yesterday I was puzzled at the iptables rules, in ZTE logs, as I
# described in
# and at one time I thought, and wrote: that looks like human agens. Then I
# deleted that sentence. Maybe I shouldn't have. But I can, just as I said
# there, still only keep guessing as to what agens did that.
# So it does remain to figure out those iptables lines that were not of my own
# doing... Some day.
# First thing next is get more stringent rules on this firewall. These were
# proof of concept rules. Do it to see if you can get a Linux router
# SNAT'ing. But it's all open. It needs to be well better secured...
# Regards,
# Miroslav Rovis
# www.CroatiaFidelis.hr