#!/bin/sh

# iptables firewall script
# written and copied by Pekka "PQ" Paalanen

# I used Iptables Tutorial 1.1.13 as a base.
# http://iptables-tutorial.haringstad.com/iptables-tutorial.html

# This is designed for a single host with no local network.


## configs ->

# internet interface, uses DHCP
INET_IFACE="eth0"

# local loopback
LO_IFACE="lo"
LO_IP="127.0.0.1"

# who are allowed to connect to our identd
IDENT_MASK="192.89.123.0/24"

## <- configs


# executable
IPTABLES=/sbin/iptables

# required modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit

# additional modules
/sbin/modprobe ipt_REJECT
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc


# set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# clear everything
$IPTABLES -F
$IPTABLES -X


# create user-defined chains
$IPTABLES -N bad_tcp
$IPTABLES -N tcp_in
   $IPTABLES -N allowed
$IPTABLES -N udp_in
$IPTABLES -N icmp_in
$IPTABLES -N igmp_in


#
# bad_tcp chain
#
$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn: "
$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP

# these are from Gentoo Security Guide example ->
$IPTABLES -A bad_tcp -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS: "
$IPTABLES -A bad_tcp -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPTABLES -A bad_tcp -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS: "
$IPTABLES -A bad_tcp -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A bad_tcp -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH: "
$IPTABLES -A bad_tcp -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPTABLES -A bad_tcp -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN: "
$IPTABLES -A bad_tcp -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A bad_tcp -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST: "
$IPTABLES -A bad_tcp -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPTABLES -A bad_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN: "
$IPTABLES -A bad_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# <-

#
# allowed chain
#
$IPTABLES -A allowed -p TCP -m limit --limit 1/second --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "allowed TCP invalid: "
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#
$IPTABLES -A tcp_in -p TCP -s 0/0 --dport ssh -j allowed
$IPTABLES -A tcp_in -p TCP -s $IDENT_MASK --dport ident -j allowed

$IPTABLES -A tcp_in -p TCP -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "tcp knocked: "
$IPTABLES -A tcp_in -p TCP -m limit --limit 2/second -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A tcp_in -p TCP -j DROP

#
# UDP ports
#
# - accept name server packets:
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --sport 53 -j ACCEPT
# - accept DHCP packets:
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --sport 67:68 --dport 67:68 -j ACCEPT
# - for ntp:
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
# - for icq:
$IPTABLES -A udp_in -p UDP -s 0/0 --source-port 4000 -j ACCEPT

$IPTABLES -A udp_in -p UDP -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "udp knocked: "
$IPTABLES -A udp_in -p UDP -j DROP

#
# ICMP rules
#
# - allow echo request (ping):
$IPTABLES -A icmp_in -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# - allow TTL equals 0 during transit and TTL equals 0 during reassembly (traceroute):
$IPTABLES -A icmp_in -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# other ICMP messages should come through conntrack

#
# IGMP rules
#
# - allow all IGMP messages:
$IPTABLES -A igmp_in -p IGMP -j ACCEPT


#
# INPUT chain
#

$IPTABLES -A INPUT -m state --state INVALID -j DROP

#
# Let ESTABLISHED and RELATED go right through
#
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp

#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_in
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_in
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_in
$IPTABLES -A INPUT -p IGMP -i $INET_IFACE -j igmp_in

#
# Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "


#
# FORWARD chain
#

# the default DROP is good for me


#
# OUTPUT chain
#

#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp

# accept everything going out
# You could prevent your own computer from spoofing source IP's, but
# that would require our own IP address, and we are use DHCP.
$IPTABLES -A OUTPUT -p ALL -j ACCEPT


### There should be nothing in the nat and mangle tables.

# THE END #