#!/bin/bash
#
# Default firewalls for the CIS Computer labs
#
# Eric Thern
# April 2002
#
# October, 2002 - updated from ipchains to iptables
#
# 1) set up /etc/hosts.allow so only the computers that need "portmap" access get it.
# tested and works on single addresses.  should work on addresses in form 10.0.0.0/16 but NOT on partial IP addresses
# example line:
# portmap: 127.0.0.1 10.0.0.1 10.0.0.2
#
# 2) run this script, and it will set up ipchains to allow all access to hosts in the portmap section, but to no other hosts.
#

IPTABLES="/sbin/iptables"

LOCALHOST="`/sbin/ifconfig eth0 |grep inet | awk '{print $2}' | awk -F: '{print $2}'`"

#
# flush ruleset
#
$IPTABLES -F

#
# comment out if you don't want forwarding enabled
#
echo 1 > /proc/sys/net/ipv4/ip_forward


#
# rulesets
#

$IPTABLES -A INPUT -p tcp -m tcp --dport 53 --syn -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s $LOCALHOST -d 0/0 --dport 0:65535 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s 0/0 -d $LOCALHOST --dport 1024:65535 ! --syn -i eth0 -j ACCEPT


for i in `cat /etc/hosts.allow | grep portmap | awk -F": " '{print $2}' | awk -F" " '{for (x=1; $x > 1; ++x) print $x}'`; do `$IPTABLES -A INPUT -p tcp -m tcp -s $i -d $LOCALHOST --dport 0:65535 -i eth0 -j ACCEPT; $IPTABLES -A INPUT -p tcp -m tcp -s $LOCALHOST -d $i --dport 0:65535 -i eth0 -j ACCEPT; $IPTABLES -A INPUT -p udp -m udp -s $i -d $LOCALHOST --dport 0:65535 -i eth0 -j ACCEPT; $IPTABLES -A INPUT -p udp -m udp -s $LOCALHOST -d $i --dport 0:65535 -i eth0 -j ACCEPT`; done

#
# deny everything else
#

$IPTABLES -A INPUT -p tcp -m tcp -s 0/0 --sport 0:65535 -d 0/0 --dport 0:65535 -i eth0 -j REJECT
$IPTABLES -A INPUT -p udp -m udp -s 0/0 --sport 0:65535 -d 0/0 --dport 0:65535 -i eth0 -j REJECT