#!/bin/bash

### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $network $syslog
# Required-Stop:     $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Firewall based on iptables
# Description:       Firewall opening or closing ports and protocols based on ipset rules
### END INIT INFO

iptables=/sbin/iptables
ipset=ipset
evilhosts=/etc/hosts.evil

# Known hosts, for ssh access and other stuff...
EXAMPLEHOST=1.2.3.4

build_blacklist()
{
  echo -n "Building blacklist ipset... "

  $ipset --quiet --create blacklist iphash
  $ipset --flush blacklist

  while read IP
  do
    $ipset --add blacklist $IP
  done < $evilhosts

  echo "done."
}

firewall_flush()
{
  echo -n "Flushing tables... "

  iptables -F INPUT
  iptables -F FORWARD
  iptables -F OUTPUT

  echo "done."
}

firewall_start()
{
  firewall_flush

  echo -n "Adding new rules... "

  # Allow ssh to known hosts
  $iptables -A INPUT -p tcp --dport 22 -s $EXAMPLEHOST -j ACCEPT

  # Default policies for given chains
  $iptables -P INPUT DROP
  $iptables -P FORWARD DROP
  $iptables -P OUTPUT ACCEPT

  # Allow connections to the world to be made
  $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  # This is our actual blacklist
  $iptables -A INPUT -p tcp -m set --match-set blacklist src -j REJECT --reject-with tcp-reset
  $iptables -A INPUT -m set --match-set blacklist src -j REJECT
  $iptables -A FORWARD -p tcp -m set --match-set blacklist src -j REJECT --reject-with tcp-reset
  $iptables -A FORWARD -m set --match-set blacklist src -j REJECT

  # Allow apache
  $iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  $iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
  $iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  $iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

  # Allow ftp
  $iptables -A INPUT -p tcp --dport 21 -j ACCEPT
  $iptables -A INPUT -p tcp --dport 20 -j ACCEPT
  $iptables -A INPUT -p tcp --dport 12000:12049 -j ACCEPT

  # Access to localhost is ok
  $iptables -A INPUT -i lo -j ACCEPT

  # Allow ping and outgoing traceroute
  $iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  $iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
  $iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
  $iptables -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT
  $iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
  $iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
  $iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT
  $iptables -A FORWARD -p icmp --icmp-type port-unreachable -j ACCEPT

  # Respond to TCP-Reset to all unwanted connections
  $iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  $iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset

  echo "done."
  echo
}

firewall_stop()
{
  firewall_flush

  echo -n "Resetting policies..."

  $iptables -P INPUT ACCEPT
  $iptables -P FORWARD ACCEPT
  $iptables -P OUTPUT ACCEPT

  echo "done."
}

case "$1" in
  start)
    build_blacklist
    firewall_start
    ;;
  stop)
    firewall_stop
    ;;
  restart)
    firewall_stop
    build_blacklist
    firewall_start
    ;;
  reload)
    firewall_stop
    firewall_start
    ;;
  *)
    echo "Usage: /etc/init.d/firewall {start|stop|restart|reload}" >&2
    echo "- {restart|start} will load both firewall and blacklist" >&2
    echo "- {reload} will only reload firewall but leave blacklist unchanged" >&2
    exit 1
    ;;
esac

exit 0