#!/bin/sh
#
# This is a simple iptables firewall script.
# This can be used stand-alone or put in /etc/init.d/firewall.
# This works on both Ubuntu and RedHat systems.
# On Ubuntu, run "update-rc.d firewall defaults" to install this on startup.
# On RedHat, run "chkconfig --add firewall" to install this on startup.
# Note that RedHat has its own iptables init script that needs to be turned
# off if this script is to be used.
#
# Noah Spurrier
# $Id: firewall 100 2007-10-30 23:31:14Z noah $
#
# chkconfig: 2345 08 92
# description: This configures iptables.
#
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      S 0 1 6
# Short-Description: This loads iptables with firewall rules.
# Description:       This loads iptables with firewall rules. Placed this in /etc/init.d.
#                    This isn't technically a daemon control script.
#                    This just puts a familiar interface around iptables.
### END INIT INFO

PATH=/usr/sbin:/usr/bin:/sbin:/bin

case "$1" in
  start)
    # Flush any old policies and rules.
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    iptables -X

    # New TCP connections must be SYN packets, else DROP
#    iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    # Drop illegal packets
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
    iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
    iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

    #
    # Accept some remote connections.
    #
    # SSH
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    # HTTP
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    # HTTPS
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    # SMTP
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    # IMAP4 SSL
    iptables -A INPUT -p tcp --dport 993 -j ACCEPT
    # POP3 SSL
    iptables -A INPUT -p tcp --dport 995 -j ACCEPT
    # DNS
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    # VPN
    #iptables -A INPUT -i tun+ -j ACCEPT

#    # VMware
#    iptables -A INPUT -p tcp --dport 902 -j ACCEPT
#    # SNMP
#    iptables -A FWALL-INPUT-p udp -m udp --dport 161 -j ACCEPT
#    iptables -A FWALL-INPUT-p udp -m udp --sport 1023:2999 -j ACCEPT

    # VNC -- This is normally a bad idea.
    #iptables -A INPUT -p tcp --dport 5900 -j ACCEPT # VNC server
    #iptables -A INPUT -p tcp --dport 5500 -j ACCEPT # listening client
    # A better way to do this is to allow localhost connections and then
    # use SSH port tunneling to expose VNC to remote connections.
    #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5900 -j ACCEPT # VNC server

    #
    # Accept some localhost connections.
    #
    # BIND RNDC
    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 953 -j ACCEPT
    # IMAP4
    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 143 -j ACCEPT
    # POP3
    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 110 -j ACCEPT
    # MySQL
    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
#    # PostgreSQL
#    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT
#    # Oracle
#    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 1521 -j ACCEPT
#    # Oracle TTC 
#    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 2483 -j ACCEPT
#    # Oracle TTC SSL
#    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 2484 -j ACCEPT
#    # Subversion svnserve (or just use the svn+ssh: URL scheme)
#    iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3690 -j ACCEPT

    # Allow some ICMP (ping)
    # ICMP is low priority so I put this after other rules.
    iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT
    iptables -A INPUT -p icmp -j DROP

    # Match related and established state connections.
    # This allows client-side connections such as ftp work properly.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Default policies to handle everything not covered by a rule.
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    ;;
  stop)
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    iptables -X
    ;;
  status)
    iptables -L -v
    ;;
  *)
    echo "Usage: $0 {start|stop|status}" >&2
    exit 1
    ;;
esac

exit 0