#!/bin/bash

######################################################
# I made this script essentially based on the what   #
# happened when I configured netfilter/NAT to DROP   #
# everything. I punched a pinhole for each necessary #
# match as the issue became apparent. This script    #
# should be suitable for ordinary internet usage,    # 
# while still being pretty strong. Consider it a     #
# template for a low-end high-strength firewall.     #
######################################################


# Turn off IP Forwarding while we reconfigure the firewall.

echo 0 > /proc/sys/net/ipv4/ip_forward

# Interface and IP Variables...Set these according to your configuration.

EXTIF=eth0
INTIF=eth1
ADMIF=eth2
EXTIP=0/0
INTIP=192.168.1.0/24
ADMIP=192.168.2.0/24
DSIP=192.168.1.11
LO=127.0.0.1/32


#Flush all firewall rules so that this script runs on a blank firewall system.

/usr/local/sbin/iptables -F



#Set this firewiall policy as a mostly-closed system (Deny any traffic that is not implicitly allowed)

/usr/local/sbin/iptables -P INPUT   DROP
/usr/local/sbin/iptables -P FORWARD DROP
/usr/local/sbin/iptables -P OUTPUT  DROP

# Allow localhost to transmit to itself

/usr/local/sbin/iptables -A INPUT -i lo -s $LO -d $LO -p all -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o lo -s $LO -d $LO -p all -j ACCEPT


# SSH
/usr/local/sbin/iptables -A INPUT -i $INTIF -s $INTIP -d $INTIP -p tcp --dport 22 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $EXTIF -s $EXTIP -d $EXTIP -p tcp --dport 22 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $INTIF -s $INTIP -d $INTIP -p tcp --sport 22 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $EXTIF -s $EXTIP -d $EXTIP -p tcp --sport 22 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTIP -p tcp --sport 22 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $EXTIP -p tcp --sport 22 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTIP -p tcp --dport 22 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $EXTIP -p tcp --dport 22 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -p tcp --sport 22 -j ACCEPT




# Rules for earthlink dial-up. Earthlink seems to send something on this port during conntection.
# This is used for MS-SQL. Earthlink connection still seems to work whether I allow this packet or not.

# /usr/local/sbin/iptables -A INPUT -i $EXTIF -s $EXTIP -d $EXTIP -p tcp --dport 1433 -j ACCEPT


# Enable Dungeon Seige

/usr/local/sbin/iptables -A INPUT -i $INTIF -p udp --dport 2234 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $INTIF -p udp --dport 2300:2400 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $INTIF -p udp --dport 6073 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $INTIF -p udp --dport 2234 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $INTIF -p udp --dport 2300:2400 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $INTIF -p udp --dport 6073 -j ACCEPT
/usr/local/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 2234 -j DNAT --to-destination $DSIP
/usr/local/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --sport 2234 -j DNAT --to-destination $DSIP
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -p udp --dport 2234 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -p udp --sport 2234 -j ACCEPT
/usr/local/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 2300:2400 -j DNAT --to-destination $DSIP
/usr/local/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --sport 2300:2400 -j DNAT --to-destination $DSIP
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -p udp --dport 2300:2400 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -p udp --sport 2300:2400 -j ACCEPT
/usr/local/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 6073 -j DNAT --to-destination $DSIP
/usr/local/sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --sport 6073 -j DNAT --to-destination $DSIP
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -p udp --dport 6073 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -p udp --sport 6073 -j ACCEPT


# Allow ICMP (routing packets)

/usr/local/sbin/iptables -A INPUT -i $INTIF -p icmp -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $EXTIF -p icmp -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -p icmp -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -p icmp -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o $INTIF -p icmp -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o $EXTIF -p icmp -j ACCEPT


# Allow the Firewall to connect to the ISP's DHCP Server

/usr/local/sbin/iptables -A INPUT -i $EXTIF -p udp --sport 67 --dport 68 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -p udp --sport 67 --dport 68 -j ACCEPT


# Allow DHCP Clients on the network to query localhost DHCP Server

/usr/local/sbin/iptables -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $INTIF -p udp --sport 67 --dport 68 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -p udp --sport 67 --dport 68 -j ACCEPT


# Allow MS Universal PnP and SSDP (Windows Garbage) on the internal network only

/usr/local/sbin/iptables -A INPUT -i $INTIF -s $INTIP -d $INTIP -p udp --dport 1900 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTIP -p udp --dport 1900 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -s $INTIP -d $INTIP -p udp --dport 1900 -j ACCEPT


# Allow Internal NETBIOS (SaMBa) Session and Packet information on the internal network only

/usr/local/sbin/iptables -A INPUT -i $INTIF -s $INTIP -d $INTIP -p udp --sport 137 --dport 137 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $INTIF -s $INTIP -d $INTIP -p udp --sport 138 --dport 138 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $INTIF -s $INTIP -d $INTIP -p udp --dport 139 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $INTIF -s $INTIP -d $INTIP -p tcp --dport 139 -j ACCEPT

/usr/local/sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTIP -p udp --sport 137 --dport 137 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTIP -p udp --sport 138 --dport 138 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTIP -p udp --sport 139 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTIP -p tcp --sport 139 -j ACCEPT


# Allow DNS Lookups. If you are running BIND or other DNS Cache/Resolver on the firewall, you should remove the FORWARD
# rules and point the DNS Clients to the firewall instead.

/usr/local/sbin/iptables -A INPUT -i $INTIF -s $INTIP -d $EXTIP -p udp --dport 53 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $EXTIF -s $EXTIP -d $INTIP -p udp --sport 53 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $EXTIF -s $EXTIP -d $EXTIP -p udp --sport 53 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTIP -p udp --sport 53 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $EXTIP -p udp --dport 53 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $EXTIP -p udp --dport 53 -j ACCEPT

/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p udp --dport 53 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -s $EXTIP -d $INTIP -p udp --sport 53 -j ACCEPT



# Allow HTTP Browsing on the Internet by users inside the network. This does not allow a Web Server
# to operating inside the network, nor on the localhost. Those rules are different.
	#HTTP
/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p tcp --dport 80 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 80 -j ACCEPT
	#HTTP-ALT
/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p tcp --dport 8080 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 8080 -j ACCEPT
	# HTTPS (HTTP over SSL)
/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p tcp --dport 443 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 443 -j ACCEPT
 

# Allow FTP Clients to use Internet FTP Server.

/usr/local/sbin/iptables -A INPUT -i $EXTIF -s $EXTIP -d $EXTIP -p tcp --sport 21 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $EXTIP -p tcp --dport 21 -j ACCEPT
/usr/local/sbin/iptables -A INPUT -i $EXTIF -s $EXTIP -d $EXTIP -p tcp --sport 20 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $EXTIP -p tcp --dport 20 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p tcp --dport 21 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -d $INTIP -s $EXTIP -p tcp --sport 21 -j ACCEPT

/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p tcp --dport 20 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -d $INTIP -s $EXTIP -p tcp --sport 20 -j ACCEPT


# Rules for E-Mail
	# POP3
/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p tcp --dport 110 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 110 -j ACCEPT
	# SMTP
/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p tcp --dport 25 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 25 -j ACCEPT

	# IMAP

# Rules for Usenet
/usr/local/sbin/iptables -A FORWARD -i $INTIF -s $INTIP -d $EXTIP -p tcp --dport 119 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 119 -j ACCEPT


# Allow IRC Clients to operate from within the network.

/usr/local/sbin/iptables -A INPUT -i $EXTIF -s $EXTIP -d $EXTIP -p tcp --sport 6667:7000 -j ACCEPT
/usr/local/sbin/iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $EXTIP -p tcp --dport 6667:7000 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -s $INTIP -d $EXTIP -p tcp --dport 6667:7000 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 6667:7000 -j ACCEPT


# Allow AOL Clients to operating from within the network

/usr/local/sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -s $INTIP -d $EXTIP -p tcp --dport 5190 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 5190 -j ACCEPT



# WinMX

/usr/local/sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -s $INTIP -d $EXTIP -p tcp --dport 7770:7773 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -s $EXTIP -d $INTIP -p tcp --sport 7770:7773 -j ACCEPT



#Enable Logging of disallowed packets

/usr/local/sbin/iptables -A INPUT -j LOG --log-level info
/usr/local/sbin/iptables -A FORWARD -j LOG --log-level info
/usr/local/sbin/iptables -A OUTPUT -j LOG --log-level info


#Enable NAT Forwarding

/usr/local/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE



#Turn on IP Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward