#!/bin/bash

### BEGIN INIT INFO
# Provides:          firewall-dom0-3g
# Required-Start:    $network $local_fs
# Required-Stop:     $network $local_fs
# Default-Start:     S
# Default-Stop:
# Short-Description: The iptables init (firewall-dom0)
# Description:       3gteam firewall (Domain-0) initialization
### END INIT INFO

IPTABLES=/sbin/iptables

INETIF=xenbr0
INETIP=79.172.192.2
NETWORKIPS=79.172.192.0/24

# ----------------------------- init -------------------------------

fw_init() {

    echo -n " init"

    # Reset tables
#    $IPTABLES -F
#    $IPTABLES -X
#    $IPTABLES -t nat -F
#    $IPTABLES -t mangle -F

    # Defaults (DROP ALL)
#    $IPTABLES -P INPUT  DROP
#    $IPTABLES -P FORWARD  DROP
#    $IPTABLES -P OUTPUT  DROP

    # changing INPUT chain only
    $IPTABLES -F INPUT

    # Totally allow loopback (lo) traffic
    $IPTABLES -A INPUT -i lo -p all -j ACCEPT		# allow ALL input from loopback
#    $IPTABLES -A FORWARD -i lo -p all -j ACCEPT		# allow ALL forward from loopback
#    $IPTABLES -A OUTPUT -o lo -p all -j ACCEPT		# allow ALL output to loopback

    # Munin-needed
    #$IPTABLES -A INPUT -d $INETIP
    #$IPTABLES -A OUTPUT -s $INETIP

        # Create the filtering chain
        $IPTABLES -N infilter
        $IPTABLES -A INPUT -j infilter
#        $IPTABLES -A FORWARD -j infilter


    # allow OUTPUT
    #$IPTABLES -A OUTPUT -o $INETIF -p all -j ACCEPT		# allow ALL output to INET

}

# ------------------------------ infilter chain -------------------------------

infilter() {

    echo -n " infilter"
    $IPTABLES -F infilter

    # Protect against common attacks
    $IPTABLES -A infilter -i $INETIF -p tcp ! --syn -m state --state NEW -j DROP	# NEW packets should be SYN
    $IPTABLES -A infilter -i $INETIF -f -j DROP						# IP fragmentation attack

    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags ACK,FIN FIN -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags ACK,PSH PSH -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags ACK,URG URG -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags ALL ALL -j DROP			# XMAS packets
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags ALL NONE -j DROP		# NULL packets
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

    # Protect against fake LAN/loopback connections from INET
    SPOOF_INET="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
    for spoofip in $SPOOF_INET; do
	$IPTABLES -A infilter -i $INETIF -p all -s $spoofip -j DROP
    done

    # Drop packets not addressed to our subnet
    $IPTABLES -A infilter -i $INETIF -p all ! -d $NETWORKIPS -j DROP

    # -----------------------------------------------------------------------------

    # Drop DNS flooders
    $IPTABLES -A infilter -i $INETIF -p udp --sport 25345 --dport 53 -j DROP
    $IPTABLES -A infilter -i $INETIF -p tcp --sport 25345 --dport 53 -j DROP

    # -----------------------------------------------------------------------------

    # ICMP PING allowed
    $IPTABLES -A infilter -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT

    # -----------------------------------------------------------------------------

    #SSH
    $IPTABLES -A infilter -i $INETIF -p tcp --dport 222 -j ACCEPT

    #DNS Server
    $IPTABLES -A infilter -i $INETIF -s $NETWORKIPS -p tcp --dport 53 -j ACCEPT
    $IPTABLES -A infilter -i $INETIF -s $NETWORKIPS -p udp --dport 53 -j ACCEPT

    #WWW + WWW-SSL
    $IPTABLES -A infilter -i $INETIF -p tcp --dport 80 -j ACCEPT
    $IPTABLES -A infilter -i $INETIF -p tcp --dport 443 -j ACCEPT

    # RAID
    $IPTABLES -A infilter -i $INETIF -p tcp --dport 34000 -j ACCEPT

    #identd -> REJECT [needed, but DROP if not]
    $IPTABLES -A infilter -i $INETIF -p tcp --dport 113 -m limit --limit 4/s  -j REJECT

    # -----------------------------------------------------------------------------

    # ACCEPTING from $INETIF
    $IPTABLES -A infilter -i $INETIF -m state --state RELATED,ESTABLISHED -j ACCEPT

    # DROPPING ALL REMAINING (!!!)

    $IPTABLES -A infilter -i $INETIF -d $INETIP -m state --state NEW,INVALID -j DROP
    $IPTABLES -A infilter -i $INETIF -d $INETIP -j DROP

    # -----------------------------------------------------------------------------


    # $IPTABLES -A infilter -m state --state NEW,INVALID -j DROP
    # $IPTABLES -A infilter -j DROP

}

# ----------------------------------------------------------------------------------

case "$1" in
    start|restart)

	echo -n "Initializing firewall rules: "

	fw_init
	infilter

	echo " done."

	[ -f /var/run/fail2ban/fail2ban.pid ] && /etc/init.d/fail2ban restart
    ;;
    reload)

	echo -n "Reloading firewall filters: "

	infilter

	echo " done."
    ;;
    stop)
	exit 0
    ;;
    *)
        echo "Usage: $0 {start|restart|reload}"
        exit 1
    ;;
esac