#!/bin/bash

# Basic firewall for a virtuosso based VPS 
# Based on work by Dmitry Konstantinov of sw-soft 
# http://vpsinfo.nixhost.net/firewall.htm

IPTABLES="/sbin/iptables"
SERVER_IPS=`/sbin/ifconfig | grep inet | cut -d : -f 2 | cut -d \  -f 1 | grep -v 127.0.0.1`

FWIN="${IPTABLES} -A INPUT"
FWOUT="${IPTABLES} -A OUTPUT"
OK="-j ACCEPT"
NO="-j DROP"

# Flush tables and change default policy to DROP
function initialize() {
	local TABLE="${1}"
	${IPTABLES} -F ${TABLE}
	${IPTABLES} -P ${TABLE} DROP
}

# Flush tables and change default policy to ACCEPT
function stop() {
	local TABLE="${1}"
	${IPTABLES} -F ${TABLE}
	${IPTABLES} -P ${TABLE} ACCEPT
}

# Verify call switch
case "$1" in
start|restart)

	initialize INPUT
	initialize OUTPUT
	initialize FORWARD

	#########
	# INPUT #
	#########

	# loopback
	${FWIN} -i lo ${OK}
	${FWIN} -d 127.0.0.0/8 ${NO}

	for OURIP in ${SERVER_IPS}; do
		
		# SSH
		${FWIN} -p tcp -d ${OURIP} --dport 22 ${OK}

		# SMTP/SMTPs
		${FWIN} -p tcp -d ${OURIP} --dport 25 ${OK}
		${FWIN} -p tcp -d ${OURIP} --dport 465 ${OK}

		# POP/POPs
		${FWIN} -p tcp -d ${OURIP} --dport 110 ${OK}
		${FWIN} -p tcp -d ${OURIP} --dport 995 ${OK}

		# IMAP/IMAPs
		${FWIN} -p tcp -d ${OURIP} --dport 143 ${OK}
		${FWIN} -p tcp -d ${OURIP} --dport 993 ${OK}

		# ICMP Pings
		${FWIN} -p icmp -d ${OURIP} --icmp-type 0 ${OK}
		${FWIN} -p icmp -d ${OURIP} --icmp-type 3 ${OK}
		${FWIN} -p icmp -d ${OURIP} --icmp-type 8 ${OK}
		${FWIN} -p icmp -d ${OURIP} --icmp-type 11 ${OK}

		# HTTP
		${FWIN} -p tcp -d ${OURIP} --dport 80 ${OK}
		${FWIN} -p tcp -d ${OURIP} --dport 443 ${OK}

	done

	# allow answers on high ports
	${FWIN} -p tcp -m tcp --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
	${FWIN} -p udp -m udp --dport 1024:65535 -j ACCEPT 

	# Everything else is denied by default - policy is DROP.

	##########
	# OUTPUT #
	##########

	# Loopback
	${FWOUT} -o lo ${OK}
	${FWOUT} -s 127.0.0.0/8 ${NO}

	# Outgoing traffic
	for OURIP in ${SERVER_IPS}; do
		${FWOUT} -s ${OURIP} ${OK} 
	done

	;;

stop)

	# turn off the firewall, flush all rules
	echo "Flushing rulesets.."

	stop INPUT
	stop OUTPUT
	stop FORWARD

	;;

status)

	# display the current status - both firewall rules and masquerading
	# connections

	# list rules. -n avoids DNS lookups
	$IPTABLES -nL 

	;;

*)

	echo "Usage: firewall {start|stop|restart|status}"
	exit 1
	esac

exit 0