#!/bin/bash
# Copy/paste your own firewall!
# Copyright (C) 2005, 2006  Cliss XXI
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
# 
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
# 
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Author: Sylvain Beucler <beuc@beuc.net>

# Clean-up
# Use 'ACCEPT' by default - safer when using '-F' manually
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Table 'nat' clean-up
iptables -t nat -F
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT


# Base
# Accept client-originated, loopback, ping and ssh connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# Vino
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT

# Samba
iptables -A INPUT -p tcp -m multiport --dports loc-srv,netbios-ssn,microsoft-ds -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports netbios-ns,netbios-dgm -j ACCEPT

# FTP
iptables -A INPUT -p tcp -m multiport --dports ftp,ftp-data -j ACCEPT

# SMTP
iptables -A INPUT -p tcp --dport smtp -j ACCEPT

# POP3
iptables -A INPUT -p tcp --dport pop3 -j ACCEPT

# Mail
iptables -A INPUT -p tcp -m multiport --dports pop3,imap2,pop3s,imaps -j ACCEPT

# HTTP
iptables -A INPUT -p tcp -m multiport --dports http,https -j ACCEPT

# NFS
# /etc/modprobe.d/lockd: options lockd nlm_udpport=2045 nlm_tcpport=2045
# /etc/default/nfs-common: STATDOPTS="-p 2046 -o 2047"
# /etc/default/nfs-kernel-server: RPCMOUNTDOPTS="-p 2048"
iptables -A INPUT -i eth0 -p tcp --dport sunrpc -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport sunrpc -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 2045:2049 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 2045:2049 -j ACCEPT

# DNS
iptables -A INPUT -p udp --dport domain -j ACCEPT
iptables -A INPUT -p tcp --dport domain -j ACCEPT

# DHCP - bootps:bootpc:tftp
iptables -A INPUT -i eth-MAISON -p udp --dport 67:69 -j ACCEPT
iptables -A INPUT -i eth-MAISON -p tcp --dport 67:68 -j ACCEPT

# XDMCP (test) - 177/udp + 6000-6007-60XX?
iptables -A INPUT -p udp --dport xdmcp -j ACCEPT
iptables -A INPUT -p tcp --dport x11-1 -j ACCEPT
#iptables -A INPUT -p tcp --dport x11-2 -j ACCEPT # ?

# Reject everything else
iptables -A INPUT -j REJECT


# Shared Internet access
# sed -i -e 's/ip_forward=.*/ip_forward=yes/' /etc/network/options
iptables -t nat -A POSTROUTING -o eth-inet -j MASQUERADE
# MTU
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS -o eth-inet --clamp-mss-to-pmtu
# Allowed routing
iptables -A FORWARD -i eth-office -j ACCEPT
iptables -A FORWARD -i eth-inet -o eth-office -m state --state RELATED,ESTABLISHED -j ACCEPT
# Reject everything else
iptables -A FORWARD -j REJECT
