#! /bin/sh
#
# startup script for local packet filter
#

fw_start () {
  echo "Loading packet filter rules"

  # flush old rules
  iptables -t nat --flush
  iptables --flush

  # drop by default
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT DROP

  # accept packets that are part of previously OK'ed sessions
  iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
  iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
  iptables -A FORWARD -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED

  # INBOUND POLICY

  # pass all traffic for network 127.0.0.0/8 on loopback interface
  iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

  # anti-spoofing done by Internet box so not needed here

  # services SMTP HTTP IMAP HTTPS
   # iptables -A INPUT -p tcp -j ACCEPT --dport 25 -m conntrack --ctstate NEW
   iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m conntrack --ctstate NEW
   # iptables -A INPUT -p tcp -j ACCEPT --dport 143 -m conntrack --ctstate NEW
   iptables -A INPUT -p tcp -j ACCEPT --dport 443 -m conntrack --ctstate NEW

  # services on local network FTP DNS BOOTP NNTP SUBMIT VNC
  iptables -A INPUT -p tcp -j ACCEPT --dport 20 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p udp -j ACCEPT --dport 53 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 53 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p udp -j ACCEPT --dport 69 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 119 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 587 -m conntrack --ctstate NEW -s 192.168.53.0/24
#  iptables -A INPUT -p tcp -j ACCEPT --dport 5900:5912 -m conntrack --ctstate NEW -s 192.168.53.0/24

  # SSH-tunnelled X-Window output appears as input on interface lo
  iptables -A INPUT -p udp -j ACCEPT --dport 177 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 6000:6063 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -i lo -p tcp -j ACCEPT --dport 6000:6063 -m conntrack --ctstate NEW -s 192.168.53.0/24

  # NFS ports
  iptables -A INPUT -p udp -j ACCEPT --dport 111 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 111 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p udp -j ACCEPT --dport 2049 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 2049 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p udp -j ACCEPT --dport 32764:32769 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 32764:32769 -m conntrack --ctstate NEW -s 192.168.53.0/24

  # samba ports
  iptables -A INPUT -p udp -j ACCEPT --dport 135 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 135 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p udp -j ACCEPT --dport 137 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 137 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p udp -j ACCEPT --dport 138 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 139 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p udp -j ACCEPT --dport 445 -m conntrack --ctstate NEW -s 192.168.53.0/24
  iptables -A INPUT -p tcp -j ACCEPT --dport 445 -m conntrack --ctstate NEW -s 192.168.53.0/24

  # broadcast traffic
  iptables -A INPUT -p udp -s 0.0.0.0 --sport 67:68 -d 255.255.255.255 -j ACCEPT

  # accept some icmp packets
  iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.53.0/24 -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

  # log anything not accepted above
  # iptables -A INPUT -j LOG --log-prefix "INPUT bad traffic "

  # OUTBOUND POLICY

  # accept all outbound packets
  iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate NEW
}

fw_stop() {
  echo "Unloading packet filter rules"

  # flush old rules
  iptables -t nat --flush
  iptables --flush

  # accept by default
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
}

case "$1" in
'start')
  fw_start
  ;;
'stop')
  fw_stop
  ;;
'restart')
  fw_start
  ;;
*)
  echo "usage $0 start|stop|restart"
esac