#!/bin/sh
# firewall.sh - Configurable per-host firewall for workstations and
# servers.(c) 2003-2004 Tero Karvinen - tero karvinen at iki fi - GPL
# 2004-01-25 Bootp udp hole. ADDR and MASK. 
# 2004-11-30 Intergrating to Debian using /etc/network/interfaces
# 2004-11-14 Add holes for nameservers. 
# Todo: Debian config like in doc/iptables. Put ip-addr and mask to variables

# About my network
IFACE=eth0
ADDR=`ifconfig eth0|awk '/inet addr/{print $2}'|gawk -F: '{print $2}'`
MASK=`ifconfig eth0|grep "inet addr:" |perl -pe 's/.*Mask:(.*)$/$1/'`
DNSSERVERS=`cat /etc/resolv.conf |awk -F\  '/nameserver/{print $2}'` 
# Cleanup old rules # All the time firewall is in a secure, closed state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush        # Flush all rules, but keep policies 
iptables --delete-chain
## Workstation Minimal firewall ###
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT 
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # for traceroute
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
for DNS in $DNSSERVERS
do
	iptables -A INPUT --source $DNS -p tcp --dport 53 -j ACCEPT	
	iptables -A INPUT --source $DNS -p udp --dport 53 -j ACCEPT	
done 
# Drop outside X window system connections (in case high ports 
# are opened in holes)
iptables -A INPUT -p tcp --dport 6000:6010 -j DROP
####### HOLES ####### Edit holes below, then run this script again
## Shoutcast in TEST
#iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -p tcp --dport 50022 -j ACCEPT
#iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#iptables -A INPUT -p tcp --dport https -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp --dport 67:68 --source $ADDR/$MASK -j ACCEPT
## OpenVPN:
# iptables -A INPUT -p udp --dport 1194 -j ACCEPT
#iptables -A INPUT -i eth0 --destination 10.0.0.1/255.0.0.0 -j LOG
#iptables -A INPUT -i eth0 --destination 10.0.0.1/255.0.0.0 -j DROP
#iptables -A INPUT -i tun+ -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
##################### Edit above
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
echo "$0: Done."

# Put this to /etc/network/interfaces
#auto lo
#        iface lo inet loopback
#auto eth0
#        iface eth0 inet dhcp
#        pre-up iptables -P INPUT DROP
#        up /etc/firewall.sh
#