#!/bin/bash
#
#
# Eric Thern
# April 2002
#
# October, 2002 - updated from ipchains to iptables
# March, 2003 - updated for new network
#               added NAT rules and such, and FORWARD rules by default
#
#
# 1) set up /etc/hosts.allow so only the computers that need "portmap" access get it.
# tested and works on single addresses.  should work on addresses in form 10.0.0.0/16
#  but NOT on partial IP addresses
# example line:
# portmap: 127.0.0.1 10.0.0.1 10.0.0.2
#
# 2) run this script, and it will set up iptables to allow all access to hosts
# in the portmap section, but to no other hosts.
#


IPTABLES="/sbin/iptables"

LOCALHOST="`/sbin/ifconfig eth0 |grep inet | awk '{print $2}' | awk -F: '{print $2}'`"

#
# flush ruleset
#
$IPTABLES -F
$IPTABLES -F -t nat


#
# comment out if you don't want forwarding enabled
#
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $LOCALHOST


#
# INPUT rules
#

$IPTABLES -A INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# allow traffic to/from the internal 10.10.10.0/24 network (same rules int he FORWARD section)
#
$IPTABLES -A INPUT -p tcp -m tcp -s 0/0 -d 10.10.10.0/24 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s 0/0 -d 10.10.10.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s 10.10.10.0/24 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s 10.10.10.0/24 -d 0/0 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s 0/0 -d $LOCALHOST --dport 51079 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s $LOCALHOST -d 0/0 --dport 0:65535 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s 0/0 -d $LOCALHOST --dport 1024:65535 ! --syn -j ACCEPT


for i in `cat /etc/hosts.allow | grep portmap | awk -F": " '{print $2}' | awk -F" " '{for (x=1; $x > 1; ++x) print $x}'`; do `$IPTABLES -A INPUT -p tcp -m tcp -s $i -d $LOCALHOST --dport 0:65535 -j ACCEPT; $IPTABLES -A INPUT -p tcp -m tcp -s $LOCALHOST -d $i --dport 0:65535 -j ACCEPT; $IPTABLES -A INPUT -p udp -m udp -s $i -d $LOCALHOST --dport 0:65535 -j ACCEPT; $IPTABLES -A INPUT -p udp -m udp -s $LOCALHOST -d $i --dport 0:65535 -j ACCEPT`; done

#
# deny everything else
#

$IPTABLES -A INPUT -p tcp -m tcp -s 0/0 --sport 0:65535 -d 0/0 --dport 0:65535 -j REJECT
$IPTABLES -A INPUT -p udp -m udp -s 0/0 --sport 0:65535 -d 0/0 --dport 0:65535 -j REJECT


#
# FORWARD rules
#

$IPTABLES -A FORWARD -p tcp -m tcp --dport 53 --syn -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -s 0/0 --sport 0:65535 -d 10.10.10.0/24 --dport 0:65535 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -s 0/0 --sport 0:65535 -d 10.10.10.0/24 --dport 0:65535 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -s 10.10.10.0/24 --sport 0:65535 -d 0/0 --dport 0:65535 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -s 10.10.10.0/24 --sport 0:65535 -d 0/0 --dport 0:65535 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -s $LOCALHOST -d 0/0 --dport 0:65535 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -s 0/0 -d $LOCALHOST --dport 1024:65535 ! --syn -j ACCEPT


for i in `cat /etc/hosts.allow | grep portmap | awk -F": " '{print $2}' | awk -F" " '{for (x=1; $x > 1; ++x) print $x}'`; do `$IPTABLES -A FORWARD -p tcp -m tcp -s $i -d $LOCALHOST --dport 0:65535 -j ACCEPT; $IPTABLES -A FORWARD -p tcp -m tcp -s $LOCALHOST -d $i --dport 0:65535 -j ACCEPT; $IPTABLES -A FORWARD -p udp -m udp -s $i -d $LOCALHOST --dport 0:65535 -j ACCEPT; $IPTABLES -A FORWARD -p udp -m udp -s $LOCALHOST -d $i --dport 0:65535 -j ACCEPT`; done

#
# deny everything else
#

$IPTABLES -A FORWARD -p tcp -m tcp -s 0/0 --sport 0:65535 -d 0/0 --dport 0:65535 -j REJECT
$IPTABLES -A FORWARD -p udp -m udp -s 0/0 --sport 0:65535 -d 0/0 --dport 0:65535 -j REJECT