#!/bin/bash
# main code is from Ziegler's book "Linux Firewalls":
#  "optimized code for stand-alone firewall"
#
# modified from our gateway firewall script to use it only on stand-alone Linux.
# OUTPUT chain has default policy "accept".
# So all the rules below are about allowing some input ports.
# First Date:  Oct. 11th, 2002
#################################################################
# Load Modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_filter

EXT_IF="eth0"                        # network interface to the external: 128.119.x.x
LOOPBACK_INTERFACE="lo"              # however your system names it
EXT_IPADDR="x.x.x.x"            # static allocated IP address
CLASS_A="10.0.0.0/8"                 # class A private networks
CLASS_B="172.16.0.0/12"              # class B private networks
CLASS_C="192.168.0.0/16"             # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4"      # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"   # class E reserved addresses
BROADCAST_SRC="0.0.0.0"              # broadcast source address
BROADCAST_DEST="255.255.255.255"     # broadcast destination address
PRIVPORTS="0:1023"                   # well-known, privileged port range
UNPRIVPORTS="1024:65535"             # unprivileged port range
IMAP4SSL_PORT="993"

###############################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done
# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done
# Do not log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 0 > $f
done
###############################################################

# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited traffic on the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop
iptables --policy INPUT   DROP
iptables --policy OUTPUT  ACCEPT
iptables --policy FORWARD DROP

iptables -t nat --policy PREROUTING  ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT

# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

###############################################################
# Using Connection State to By-pass Rule Checking

iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

###############################################################
# Stealth Scans and TCP State Flags
# All of the bits are cleared
iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################
# Source Address Spoofing and Other Bad Addresses
iptables -A OUTPUT -s ! $EXT_IPADDR -j DROP
iptables -A INPUT  -p ! udp -d $CLASS_D_MULTICAST -j DROP
##############################################################
# ICMP Control and Status Messages
# allow incoming pings from anywhere
iptables -A INPUT  -p icmp --icmp-type echo-request -d $EXT_IPADDR \
             -m state --state NEW -j ACCEPT
# Drop initial ICMP fragments
iptables -A INPUT -p icmp --fragment -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench  -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

# Intermediate traceroute responses
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

###############################################################
#    Accept the following input requests and ports            #
###############################################################
# reject outside AUTH request.
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 113 -j REJECT --reject-with tcp-reset
###############################################################
# Accept SMTP, IMAPS from outside.
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 25 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport $IMAP4SSL_PORT -m state --state NEW -j ACCEPT
###############################################################
# accept outside ssh (TCP Port 22)
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 22 -m state --state NEW -j ACCEPT