#!/bin/sh
# firewall.sh - Configurable per-host firewall for workstations and
# servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL

stop_fw() 
{
    echo -n "stopping `basename $0`..." 
    iptables --flush
    iptables --delete-chain
    iptables -P FORWARD ACCEPT
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    echo "done."
}

start_fw() 
{
    echo -n "starting `basename $0`..." 
# Cleanup old rules # All the time firewall is in a secure, closed state
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables --flush        # Flush all rules, but keep policies 
    iptables --delete-chain
## Workstation Minimal firewall ###
    iptables -P FORWARD DROP
    iptables -P INPUT DROP
    iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
    iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT 
    iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
####### HOLES ####### Edit holes below, then run this script again
    iptables -A INPUT -p tcp --dport ssh -j ACCEPT
    iptables -A INPUT -p tcp --dport http -j ACCEPT
    iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
##################### Edit above
    iptables -A INPUT -j LOG -m limit --limit 40/minute
    iptables -A INPUT -j DROP
# Save
# iptables-save > /etc/sysconfig/iptables
    echo "done."
}
fw_status()
{
   iptables -L
}

case "$1" in
    start)
        start_fw
        ;;
    stop)
        stop_fw
	;;
    status)
        fw_status
        ;;
    *)
        echo "Usage:" $0 "{start|stop|status}"
        exit 1
        ;;
esac

exit 0