#
# firewall This shell script takes care of setting up a firewall for a
# virtuosso based VPS
# (no stateful rules/connection tracking or logging.
# Borrows heavily from a script by Dmitry Konstantinov of sw-soft
#
# chkconfig: 2345 18 92
# description: setup firewall configuration

IPTABLES="/sbin/iptables"
SERVER_IPS=`/sbin/ifconfig | grep inet | cut -d : -f 2 | cut -d \ -f 1 | grep -v 127.0.0.1`

#  TCP ports to allow
TCP_PORTS="22 25 53 80 110 123 443 995 10000 20000"

#  UDP ports to allow
UDP_PORTS="53 123"

#  ICMP TYPES to allo
ICMP="0 3 8 11"

FWIN="${IPTABLES} -A INPUT"
FWOUT="${IPTABLES} -A OUTPUT"
OK="-j ACCEPT"
NO="-j DROP"

# Flush tables and change default policy to DROP function 

initialize() {
    local TABLE="${1}"
    ${IPTABLES} -F ${TABLE}
    ${IPTABLES} -P ${TABLE} DROP
}

# Flush tables and change default policy to ACCEPT function 
stop() {
    local TABLE="${1}"
    ${IPTABLES} -F ${TABLE}
    ${IPTABLES} -P ${TABLE} ACCEPT
}

# Verify call switch
case "$1" in
    start)

    initialize INPUT
    initialize OUTPUT
    initialize FORWARD

    # INPUT
    # 1) loopback
    ${FWIN} -i lo ${OK}
    ${FWIN} -d 127.0.0.0/8 ${NO}

    for port in $TCP_PORTS
    do

        for OURIP in ${SERVER_IPS}
        do
            ${FWIN} -p tcp -d ${OURIP} --dport $port ${OK}
        done

    done

    for port in $UDP_PORTS
    do

        for OURIP in ${SERVER_IPS}
        do
            ${FWIN} -p udp -d ${OURIP} --dport $port ${OK}
        done

    done

    # TCP ports in
    for OURIP in ${SERVER_IPS}
    do
        ${FWIN} -p tcp --sport 80 -d ${OURIP} --dport 1024: "!" --syn ${OK}
    done

    # 8) We allow incoming echo replies/requests from everywhere:
    for OURIP in ${SERVER_IPS}; do
        for icmp_type in ${ICMP}; do
            ${FWIN} -p icmp -d ${OURIP} --icmp-type $icmp_type ${OK}
        done
    done

    # allow answers on high ports
    ${FWIN} -p tcp -m tcp --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN ${OK}
    ${FWIN} -p udp -m udp --dport 1024:65535 ${OK}

    # OUTPUT
    # 1) Loopback packets.
    ${FWOUT} -o lo ${OK}
    ${FWOUT} -s 127.0.0.0/8 ${NO}

    # 2) We allow all outgoing traffic:
    for OURIP in ${SERVER_IPS}; do
        ${FWOUT} -s ${OURIP} ${OK}
    done

;;
stop)

    # turn off the firewall, flush all rules
    echo "Flushing rulesets.."

    stop INPUT
    stop OUTPUT
    stop FORWARD

;;
status)

    # list rules. -n avoids DNS lookups
    $IPTABLES -vnL

;;
*)
    echo "Usage: firewall {start|stop|restart|status}"
    exit 1
    esac

    exit 0
;;
esac