#!/bin/sh
#
# firewall.sh - Version 20020319 - Coresis
#
# Used random IPs
#
### DEBUGGING ###
set -x

### FLUSHING CHAIN ###
/sbin/iptables -F
/sbin/iptables -X 
/sbin/iptables -Z 

### DEFAULT CHAIN ###

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

### SETTING IPFORWARDING ###
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

### DISABLE RESPOND TO BROADCAST ###
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

### ENABLE BAD ERROR MESSAGE PROTECTION ### 
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

### DISABLE ICMP REDIRECT ACCEPTANCE ###
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
 
### SETTING ANTISPOOFING PROTECTION ###
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

### DON'T RESPOND TO BROADCAST PINGS ###
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

##################################################################

#GW1 AND GW2 ARE TRUSTED HOSTS FROM WHICH SSH COMMUNICATION IS PERMITTED
GW1=10.10.10.4
GW2=192.168.1.5

#LINEA1 AND LINEA2 ARE TRUSTED NETWORKS FROM WHICH ICMPS ARE ALLOWED
LINEA1=10.10.10.0/24
LINEA2=192.168.1.0/24

# NTP_SRV IS A NETWORK TIME PROTOCOL SERVER
NTP_SRV=10.198.151.1

##################################################################

# ======================= LOCALHOST ================================
/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT

# ======================= SSH RULE ================================
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 22  -s $GW1 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 22  -s $GW2 -j ACCEPT

/sbin/iptables -A OUTPUT -o eth0 -p TCP --sport 22  -d $GW1 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p TCP --sport 22  -d $GW2 -j ACCEPT

# ======================= DNS RULE ==========================

/sbin/iptables -A INPUT  -p TCP -s 0/0 --sport 53 -j ACCEPT
/sbin/iptables -A INPUT  -p udp -s 0/0 --sport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -s 0/0 --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p TCP -s 0/0 --dport 53 -j ACCEPT

# ======================= ICMP RULE ==========================

/sbin/iptables -A INPUT  -p icmp -s $LINEA1 -j ACCEPT
/sbin/iptables -A INPUT  -p icmp -s $LINEA2 -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -s $LINEA1 -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -s $LINEA2 -j ACCEPT

# ======================= NTP RULE =========================

/sbin/iptables -A INPUT  -p udp --sport ntp -s $NTP_SRV -j ACCEPT
/sbin/iptables -A INPUT  -p tcp --sport ntp -s $NTP_SRV -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport ntp -d $NTP_SRV -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport ntp -d $NTP_SRV -j ACCEPT

# ================== MAIL SEND RULE ========================

/sbin/iptables -A INPUT  -p tcp --sport 25 -s $LINEA1 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 25 -d $LINEA1 -j ACCEPT
/sbin/iptables -A INPUT  -p tcp --sport 25 -s $LINEA2 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 25 -d $LINEA2 -j ACCEPT

### ADD CUSTOM SERVER RULES BELOW
# ================= HTTP & HTTPS ============================

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p TCP --sport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 443 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p TCP --sport 443 -j ACCEPT