#!/bin/bash

# Server firewall

# Alexandro Silva
# April 27th '2010

PATH=/bin:/usr/bin:/sbin:/usr/sbin

TCPOK="123 80 443"
UDPOK="53"

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Drop incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

#Drop incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#Syn flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN

#Drop incoming ping request 
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

iptables -A INPUT -j ACCEPT -i lo
iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0

iptables -A OUTPUT -j ACCEPT -o lo

# Permit SSH in the 3000 port
iptables -A INPUT -s 0.0.0.0 -p tcp --dport 3000 -j ACCEPT

# Permit access in some TCP ports
for PORTA in $TCPOK
do
  iptables -A INPUT -p tcp --dport $PORTA -j ACCEPT
done

# Permit access in some UDP ports
for PORTA in $UDPOK
do
  iptables -A INPUT -p udp --dport $PORTA -j ACCEPT
done

# Drop other entering connections checking the state
iptables -A INPUT -m state --state ! ESTABLISHED,RELATED -j DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT