#!/bin/sh
# Server.firewall - Version 2.3
# This script configures the firewall and saves the results.
# H.V. Sparks, July 2007 

# Devices

	netDev=eth0
	lanDev=eth1

# Hosts

	thisServer=192.168.0.2
	otherServer=192.168.1.3
		
# Kernel flags
	
	echo 1 > /proc/sys/net/ipv4/ip_forward
	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
	# For Dynamic PPP: echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Flush all tables

	iptables -t filter -F
	iptables -t filter -X
	iptables -t filter -Z
	iptables -t nat    -F
	iptables -t nat    -X
	iptables -t nat    -Z
	iptables -t mangle -F
	iptables -t mangle -X
	iptables -t mangle -Z
	
# Set default policies
	
	iptables -t filter -P INPUT DROP
	iptables -t filter -P FORWARD DROP
	iptables -t filter -P OUTPUT ACCEPT 
	iptables -t nat    -P PREROUTING ACCEPT
	iptables -t nat    -P POSTROUTING ACCEPT
	iptables -t nat    -P OUTPUT ACCEPT
	iptables -t mangle -P PREROUTING ACCEPT
	iptables -t mangle -P OUTPUT ACCEPT
	
# Chain for bad tcp packets

	iptables -N badTCP

	# Stop sequence prediction attacks
	iptables -A badTCP -p tcp --tcp-flags SYN,ACK SYN,ACK -m state \
		--state NEW -j REJECT --reject-with tcp-reset
		
	# Drop new packets that are not connection requests
	iptables -A badTCP -p tcp ! --syn -m state --state NEW -j DROP

# Blocklist to deal with "special people" 

	iptables -N blockList
	
	for ip in `<blocklist.txt`; do
		iptables -A blockList -i $netDev -s $ip -j DROP 
	done

# Allowed TCP connections

	iptables -N tcpAllow
	iptables -A tcpAllow -p tcp -j badTCP
	iptables -A tcpAllow -p tcp --dport ssh    -j ACCEPT 
	iptables -A tcpAllow -p tcp --dport http   -j ACCEPT 
	iptables -A tcpAllow -p tcp --dport https  -j ACCEPT
	iptables -A tcpAllow -p tcp --dport domain -j ACCEPT
	iptables -A tcpAllow -p tcp --dport smtp   -j ACCEPT
	iptables -A tcpAllow -p tcp --dport smtps  -j ACCEPT
	iptables -A tcpAllow -p tcp --dport imaps  -j ACCEPT
	iptables -A tcpAllow -p tcp --dport 3784   -j ACCEPT
	iptables -A tcpAllow -p tcp -j REJECT --reject-with tcp-reset

	# Don't forget to move these above the REJECT
	# iptables -A tcpAllow -p tcp --dport ftp    -j ACCEPT
	# iptables -A tcpAllow -p tcp --dport imaps  -j ACCEPT
	# iptables -A tcpAllow -p tcp --dport pop3   -j ACCEPT
	# iptables -A tcpAllow -p tcp --dport pop3s  -j ACCEPT
	# iptables -A tcpAllow -p tcp --dport telnet -j ACCEPT
	# TCP 3784 is for "Ventrilo" WoW voice server

# Allowed UDP packets

	iptables -N udpAllow
	iptables -A udpAllow -p udp --dport domain -j ACCEPT
	
# Allowed icmp packets

	iptables -N icmpAllow
	iptables -A icmpAllow -p icmp --icmp-type echo-request  -j ACCEPT
	iptables -A icmpAllow -p icmp --icmp-type time-exceeded -j ACCEPT

# Main firewall configuration

	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -i $lanDev -j ACCEPT
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	
	iptables -A INPUT -i $netDev -j blockList 
	iptables -A INPUT -i $netDev -p tcp  -j tcpAllow
	iptables -A INPUT -i $netDev -p udp  -j udpAllow
	iptables -A INPUT -i $netDev -p icmp -j icmpAllow
		
# Network address translation
	
	# SNAT is preferred over MASQUERADE if $netDev is constant
	
	iptables -t nat -A POSTROUTING -o $netDev \
		-j SNAT --to-source $thisServer

# Forwarding 

	# Packets that arrive on the server with destinations
	# on other hosts do not pass through the INPUT chain.
	# They go directly to FORWARD:

	iptables -A FORWARD -p tcp -j badTCP
	iptables -A FORWARD -i $lanDev -j ACCEPT
	iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

	# The packets accepted by FORWARD are determined by the
	# moveTo() function. See below.
		
# Support servers on other hosts

	moveTo() 
	{   target=$1
	    proto=$2
	    shift 2
	    for port in $@ ; do
	        iptables -t nat -A PREROUTING -i $netDev -p $proto \
	            --dport $port -j DNAT --to-destination $target:$port
	        iptables -A FORWARD -i $netDev -p $proto \
	            --dport $port -d $target -j ACCEPT
	    done
	}
	
	# BitTorrent
	moveTo $otherServer tcp 6881 6882 6883 6884 6885 6886 6887 6888 6889

	# Blizzard Downloader
	moveTo $otherServer tcp 3724 3724 
	moveTo $otherServer tcp 6112 6112

	# MSN
	# moveTo $otherServer tcp 1863 6901
	# moveTo $otherServer udp 1863 5190 6901

	# Windows remote desktop
	# moveTo $otherServer tcp 3389

# Example of logging:

	# Use the rule: -j LOG --log-prefix "A prefix:"

# Save the firewall settings

	service iptables save
	
# EOF