#!/bin/bash
# Autor: MrFirewall
# Version: 0.1
# Date: 2020-05
# this script is used for basic init of firewall
# iptables single-host firewall script

echo "firewall started on: "$(date '+%Y-%m-%d-%H:%M:%S') >> /var/log/firewall.log

# Define command variables
ipt="$(which iptables)"

# Define multiple network interfaces

# this connects to user's local network (LAN)
lan0="enp3s0"

# this connects to user's internet router (WAN, internet)
wan0="enp2s0"

# if available
# wifi="wlp3s0"

# Flush all rules and delete all chains
# because it is best to startup cleanly
$ipt -F
$ipt -X 
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F 
$ipt -t mangle -X 

# Zero out all counters, again for 
# a clean start
$ipt -Z
$ipt -t nat -Z
$ipt -t mangle -Z

# Default policies: deny all incoming
# Unrestricted outgoing

$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT 
$ipt -t nat -P PREROUTING ACCEPT 
$ipt -t nat -P POSTROUTING ACCEPT 
$ipt -t mangle -P PREROUTING ACCEPT 
$ipt -t mangle -P POSTROUTING ACCEPT

# Required for the loopback interface
$ipt -A INPUT -i lo -j ACCEPT

# Reject connection attempts not initiated from the host
$ipt -A INPUT -p tcp --syn -j DROP

# Allow return connections initiated from the host
$ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# If the above rule does not work because you
# have an ancient iptables version (e.g. on a 
# hosting service)
# use this older variation instead
# $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept important ICMP packets. It is not a good
# idea to completely disable ping; networking
# depends on ping
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

# The previous lines define a simple firewall
# that does not restrict outgoing traffic, and
# allows incoming traffic only for established sessions

# The following rules are optional to allow external access
# to services. Adjust port numbers as needed for setup

# Use this rule when you accept incoming connections
# to services, such as SSH and HTTP
# This ensures that only SYN-flagged packets are
# allowed in
# Then delete '$ipt -A INPUT -p tcp --syn -j DROP'
# $ipt -A INPUT p tcp ! --syn -m state --state NEW -j DROP

# Allow logging in via SSH
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT

# Restrict incoming SSH to a specific network interface
# $ipt -A INPUT -i $wan0 -p tcp --dport 22 -j ACCEPT

# Restrict incoming SSH to the local network
# $ipt -A INPUT -i $wan0 -p tcp -s 192.0.2.0/24 --dport 22 -j ACCEPT

# Allow external access to HTTP server
# This allows access to three different ports, e.g. for
# testing. 
$ipt -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT

# Allow external access to unencrypted mail server, SMTP,
# IMAP, and POP3.
# $ipt -A INPUT -p tcp -m multiport --dport 25,110,143 -j ACCEPT

# Local name server should be restricted to local network
# $ipt -A INPUT -p udp -m udp -s 192.0.2.0/24 --dport 53 -j ACCEPT
# $ipt -A INPUT -p tcp -m udp -s 192.0.2.0/24 --dport 53 -j ACCEPT