#!/bin/sh
# Basic firewall configuration.
# Script based on: http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-pack
#
# Caveats:
# - This configuration applies to all network interfaces
#   if you want to restrict this to only a given interface use
#   '-i INTERFACE' in the iptables calls.
# - Remote access for TCP/UDP services is granted to any host, 
#   you probably will want to restrict this using '--source'.
#
# chkconfig: 2345 9 91
# description: Activates/Deactivates the firewall at boot time
#
# You can test this script before applying with the following shell
# snippet, if you do not type anything in 10 seconds the firewall
# rules will be cleared.
#---------------------------------------------------------------
#  while true; do test=""; read  -t 20 -p "OK? " test ; \
#  [ -z "$test" ] && /etc/init.d/firewall clear ; done
#---------------------------------------------------------------
     
PATH=/bin:/sbin:/usr/bin:/usr/sbin
     
# Services that the system will offer to the network
TCP_SERVICES="22 80 443" # SSH and WebServer 
UDP_SERVICES="53"
# Services the system will use from the network
REMOTE_TCP_SERVICES="80" # web browsing
REMOTE_UDP_SERVICES="53" # DNS
#This option allows all outgoing connections
REMOTE_ALL=true
# Network that will be used for remote mgmt
# (if undefined, no rules will be setup)
# NETWORK_MGMT=192.168.0.0/24
# Port used for the SSH service, define this is you have setup a
# management network but remove it from TCP_SERVICES
# SSH_PORT="22"

if ! [ -x /sbin/iptables ]; then  
         exit 0
fi
     
fw_start () {
     
       # Input traffic:
       /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
       # Services
       if [ -n "$TCP_SERVICES" ] ; then
       for PORT in $TCP_SERVICES; do
         /sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
       done
       fi
       if [ -n "$UDP_SERVICES" ] ; then
       for PORT in $UDP_SERVICES; do
         /sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
       done
       fi
	       # Basic spoofing prevetion
	/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
	/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
       # Remote testing
       /sbin/iptables -A INPUT -p icmp -j ACCEPT
       /sbin/iptables -A INPUT -i lo -j ACCEPT
       /sbin/iptables -P INPUT DROP
       /sbin/iptables -A INPUT -j LOG
     
       # Output:
       /sbin/iptables -A OUTPUT -j ACCEPT -o lo 
       /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
       # ICMP is permitted:
       /sbin/iptables -A OUTPUT -p icmp -j ACCEPT

       #It might be desirable to allow all of the outgoing connections
       if [ $REMOTE_ALL ] ; then

       	  # All other connections are registered in syslog
       	  /sbin/iptables -A OUTPUT -j LOG
       	  /sbin/iptables -A OUTPUT -j ACCEPT
          /sbin/iptables -P OUTPUT ACCEPT
       else
          # As well as the services we have defined:
          if [ -n "$REMOTE_TCP_SERVICES" ] ; then
             for PORT in $REMOTE_TCP_SERVICES; do
                /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
             done
          fi
          if [ -n "$REMOTE_UDP_SERVICES" ] ; then
             for PORT in $REMOTE_UDP_SERVICES; do
                /sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
             done
          fi
          # All other connections are registered in syslog
          /sbin/iptables -A OUTPUT -j LOG
          /sbin/iptables -A OUTPUT -j REJECT 
          /sbin/iptables -P OUTPUT DROP
       fi
       #Machine is not likely to serve as a router, so stoping forward.
          /sbin/iptables -P FORWARD DROP
       # Other network protections
       # (some will only work with some kernel versions)
       echo 1 > /proc/sys/net/ipv4/tcp_syncookies
       echo 0 > /proc/sys/net/ipv4/ip_forward 
       echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
       echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 
       echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
       echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
       echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
       echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
     
}
     
fw_stop () {
       /sbin/iptables -F
       /sbin/iptables -t nat -F
       /sbin/iptables -t mangle -F
       /sbin/iptables -P INPUT DROP
       /sbin/iptables -P FORWARD DROP
       /sbin/iptables -P OUTPUT ACCEPT
}
     
fw_clear () {
       /sbin/iptables -F
       /sbin/iptables -t nat -F
       /sbin/iptables -t mangle -F
       /sbin/iptables -P INPUT ACCEPT
       /sbin/iptables -P FORWARD ACCEPT
       /sbin/iptables -P OUTPUT ACCEPT
}
     
     
case "$1" in
       start|restart)
         echo -n "Starting firewall.."
         fw_stop 
         fw_start
         echo "done."
         ;;
       stop)
         echo -n "Stopping firewall.."
         fw_stop
         echo "done."
         ;;
       clear)
         echo -n "Clearing firewall rules.."
         fw_clear
         echo "done."
         ;;
       *)
         echo "Usage: $0 {start|stop|restart|clear}"
         exit 1
         ;;
esac
exit 0

