#!/bin/bash
#
# For debug
#set -e # Abort script when command exits with error
#set -x # Print each command before it is executed (only for debugging)

echo "[FIREWALL] = > Enable IP Forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# **** Clean all firewall rules. ****
#
echo "[FIREWALL] = > Cleaning all iptables rules."
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -X
iptables -t nat -X
iptables -t mangle -X

# ****
outside="11.11.11.11"
inside="192.168.77.0/24"
outside_interface="ppp0"
inside_interface="eth1"
echo "[FIREWALL] = > Outside IP = $outside on inteface = $outside_interface"
echo "[FIREWALL] = > Inside  IP = $inside on inteface = $inside_interface"

#
# **** Set default policy  ****
#
echo "[FIREWALL] = > Set for INPUT FORWARD set default policy = DROP"
iptables -P INPUT DROP
iptables -P FORWARD DROP
echo "[FIREWALL] = > Set for INPUT FORWARD OUTPUT IPv6 set default policy = DROP"
ip6tables -P INPUT   DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT  DROP

# allow (ESTABLISHED RELATED)
echo "[FIREWALL] = > Set for traffic ESTABLISHED,RELATED = ACCEPT"
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "[FIREWALL] = > For invalid INPUT OUTPUT FORWARD  = DROP"
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

echo "[FIREWALL] = > Set for INPUT OUTPUT localhost = ACCEPT"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#
# **** Adding rules routes to tables ****
#
#example#echo "[FIREWALL] = > Cleaning all route rules and tables."
#example#ip route flush table 221 > /dev/null 2>&1
#example#ip rule delete table 221 > /dev/null 2>&1

#example#echo "[FIREWALL] = > Adding route rules and tables."
#example#ip route add default via 10.48.5.2 table 221 # see OpenVPN conf 'up /etc/openvpn/ip_route.sh
#example#ip rule add fwmark 0x05 table 221

#example#echo "[FIREWALL] = > Printing route rules and tables."
#example#ip route list table 221 | sed 's/^/[FIREWALL] = > /'
#example#ip rule list | sed 's/^/[FIREWALL] = > /'

#
# **** Adding blackhole routes to tables ****
#
echo "[FIREWALL] = > Deleting blackhole route for BOGON networks."
black_hole_ip=$(ip route list | grep 'blackhole' | awk '{print $2}')
for i in $black_hole_ip; do ip route del blackhole  $i; done

echo "[FIREWALL] = > Adding blackhole route for BOGON networks."
ip route add blackhole 10.0.0.0/8
ip route add blackhole 192.168.0.0/16
ip route add blackhole 172.16.0.0/12
ip route add blackhole 169.254.0.0/16

# ******************************************************************
# ******************************************************************

echo "[FIREWALL] = > Starting iptables."

# Add new chain (LOGDROP) for debug
#iptables -N LOGDROP
#iptables -A LOGDROP -j LOG --log-prefix "iptables log: "
#iptables -A LOGDROP -j DROP

# mangle FORWARD MSS TCP fix
iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360

# deny INPUT FIRST packet has to be TCP SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "deny INPUT FIRST packet has to be TCP SYN"
# deny INPUT drop incoming fragments
iptables -A INPUT -f -j DROP -m comment --comment "deny INPUT drop incoming fragments"
# deny INPUT XMAS/NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP  -m comment --comment "deny INPUT XMAS packets"
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP  -m comment --comment "deny INPUT NULL packets"
# accept INPUT excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT  -m comment --comment "accept INPUT excessive RST packets to avoid smurf attacks"
# deny INPUT smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP   -m comment --comment "INPUT smurf attacks"
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP   -m comment --comment "INPUT smurf attacks"

# DROP BOGON
/etc/network/firewall_bogon.sh

#
# **** Adding INPUT rules ****
#
echo "[FIREWALL] = > Adding rules for INPUT"
# allow INPUT outside ---> ME (ICMP ping)
iptables -A INPUT -i $outside_interface -p icmp -m state --state NEW -j ACCEPT

# allow INPUT inside ---> ME
iptables -A INPUT -i $inside_interface -m state --state NEW -j ACCEPT

# allow INPUT outside ---> ME (TCP SSH)
iptables -A INPUT -i $outside_interface -m multiport -p tcp -d $outside --dports 22,422 -m state --state NEW -j ACCEPT

# allow INPUT outside ---> ME (UDP 500,1701,4500) L2TP/IPsec
#example#iptables -A INPUT -i $outside_interface -m multiport -p udp -d $outside --dports 500,1701,4500 -m state --state NEW -j ACCEPT

# allow INPUT for Stunnel + OpenVPN XXX <---> XXX
#example#iptables -A INPUT -i $outside_interface -m multiport -p tcp -s 33.33.33.33 -d $outside -m state --state NEW --dports 443 -j ACCEPT

# allow INPUT via OVPN NLSRV ---> ME (ICMP)
#example#iptables -A INPUT -i tun0 -p icmp -s 10.37.4.1 -d 10.37.4.2 -m state --state NEW -j ACCEPT


#
# **** Adding FORWARD rules ****
#

echo "[FIREWALL] = > Adding rules for FORWARD"
# deny FORWARD inside -->> ouside (DNS traffic)
iptables -A FORWARD -o $outside_interface -m multiport -p tcp -m state --state NEW --dport 53,953 -j DROP
iptables -A FORWARD -o $outside_interface -m multiport -p udp -m state --state NEW --dport 53,953 -j DROP

# deny FORWARD for some host -> outside
#example#iptables -A FORWARD -o $outside_interface -s 192.168.77.3 -m state --state NEW -j DROP

# allow FORWARD from inside|VPN ---> inside|VPN
#example#iptables -A FORWARD -i $inside_interface -o tunTR -s $inside -m state --state NEW -j ACCEPT
#example#iptables -A FORWARD -i tunTR -o $inside_interface -s 192.168.98.0/24  -m state --state NEW -j ACCEPT

# allow FORWARD outside -->> inside (DNAT) TCP 3389 -->> 192.168.77.25 TCP 3389
#example##iptables -A FORWARD -i $outside_interface -o $inside_interface -m multiport -p tcp -s 99.99.99.99 -d 192.168.77.25 --dports 3389 -m state --state NEW -j ACCEPT
#example##iptables -A FORWARD -i $outside_interface -o $inside_interface -m multiport -p udp -s 99.99.99.99 -d 192.168.77.25 --dports 3389 -m state --state NEW -j ACCEPT

# allow FORWARD from insdie ---> outside (SNAT)
#iptables -A FORWARD -i $inside_interface -o $outside_interface -s $inside -m state --state NEW -j ACCEPT

# deny INPUT outside -->> ME (Block scan port)
iptables -A INPUT -m multiport -p tcp --dports 1:65535 -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A INPUT -m multiport -p udp --dports 1:65535 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable

# deny FORWARD (Block scan port)
iptables -A FORWARD -m multiport -p tcp --dports 1:65535 -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A FORWARD -m multiport -p udp --dports 1:65535 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable

#
# **** Adding rules for MANGLE ****
#
echo "[FIREWALL] = > Adding rules for MANGLE table"
# For routing to OVPN tunnel NLVPN tun1
#example## for mark route#iptables -A PREROUTING -i $inside_interface -t mangle -p tcp -s 192.168.77.25 --sport 3389 -d 94.198.195.220 -j MARK --set-mark 0x05
#example## for mark route#iptables -A PREROUTING -i $inside_interface -t mangle -p udp -s 192.168.77.25 --sport 3389 -d 94.198.195.220 -j MARK --set-mark 0x05
#example#iptables -A PREROUTING -i $inside_interface -t mangle -s 192.168.77.3 ! -d 192.168.98.0/24 -j MARK --set-mark 0x05

#
# **** NAT ****
#
#
echo "[FIREWALL] = > Adding rules for SNAT"
#iptables -t nat -A POSTROUTING -o $outside_interface -s $inside -j SNAT --to-source $outside
#
echo "[FIREWALL] = > Adding rules for DNAT"
#iptables -t nat -A PREROUTING -i $outside_interface -p tcp -m tcp -s 99.99.99.99 -d $outside --dport 3389 -j DNAT --to-destination 192.168.77.25:3389
#iptables -t nat -A PREROUTING -i $outside_interface -p udp -m udp -s 99.99.99.99 -d $outside --dport 3389 -j DNAT --to-destination 192.168.77.25:3389
#
# **** NAT ****
#

#
# ****  Final list iptables rules ****
#
echo "[FIREWALL] = > List all iptables rules."
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
echo "=                           List FILTER table rules                                 =" | sed 's/^/[FIREWALL] = > /'
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
iptables -L -n -v --line-numbers | sed 's/^/[FIREWALL] = > /'
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
echo "=                           List  NAT   table rules                                 =" | sed 's/^/[FIREWALL] = > /'
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
iptables -t nat -L -n -v --line-numbers | sed 's/^/[FIREWALL] = > /'
echo "=====================================================================================" | sed 's/^/[FIREWALL] = > /'
echo "[FIREWALL] = > Done."
#
# ****  Final list iptables rules ****
#