#!/bin/bash
#
# Default firewalls for the CIS Computer labs
#
# Eric Thern	eric@thern.org
# April 2002
#
#
# 1) set up /etc/hosts.allow so only the computers that need "portmap" access get it.
# tested and works on single addresses.  should work on addresses in form 10.0.0.0/16 but NOT on partial IP addresses
# example line:
# portmap: 127.0.0.1 10.0.0.1 10.0.0.2
#
# 2) run this script, and it will set up ipchains to allow all access to hosts in the portmap section, but to no other hosts.
#

IPCHAINS="/sbin/ipchains"

#
# flush ruleset
#
$IPCHAINS -F

#
# comment out if you don't want forwarding enabled
#
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# set up default rules
#
$IPCHAINS -A input -j ACCEPT
$IPCHAINS -A output -j ACCEPT
$IPCHAINS -A forward -j ACCEPT

#
# rulesets
#
$IPCHAINS -A input -s 0.0.0.0/0.0.0.0 67:68 -d 0.0.0.0/0.0.0.0 67:68 -i eth0 -p udp -j ACCEPT
$IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -p udp -j ACCEPT
$IPCHAINS -A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 1024:65535 -p udp -j ACCEPT
$IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT

for i in `cat /etc/hosts.allow | grep portmap | awk -F": " '{print $2}' | awk -F" " '{for (x=1; $x > 1; ++x) print $x}'`; do `$IPCHAINS -A input -s $i -d 0.0.0.0/0.0.0.0 0:65535 -p tcp -j ACCEPT; $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d $i 0:65535 -p tcp -j ACCEPT; $IPCHAINS -A input -s $i -d 0.0.0.0/0.0.0.0 0:65535 -p udp -j ACCEPT; $IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d $i 0:65535 -p udp -j ACCEPT`; done

$IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p tcp -j REJECT -y
$IPCHAINS -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p udp -j REJECT