##############################################################################
#
# fw.sh - simple firewall script to lockdown iptables over a remote connection
#         without using most of the original interactive "dialog" script in 
#         order to allow this script to be run over a remote SSH connection and
#         not lose your connection mid-script.  
#
#    v1.0 - December 12, 2006 - initial release
#           Bruce A. Westbrook (bwestbrook@gmail.com)
#
#
# Quick Notes:
#      -i       Interface that should be filtered
#      -p       Protocol (see /etc/protocols)
#      -s       Source IP address (0/0 = any)
#      -d       Destination IP address (0/0 = any)
#      -m       Match -- commonly match on protocol, state or both
#      -j       Jump -- what to do if a packet matches a rule
#     --dport   Destination Port
#     --sport   Source Port
#     --state   Packet State -- INVALID, ESTABLISHED, NEW or RELATED
#
#     iptables -L --line	                    Shows line # of rules
#     ipables -I INPUT "chain_number" "new_rule"  Insert new rule
#     iptables -R INPUT "chain_number" "new_rule" Replace a rule
#     iptables -A INPUT "new_rule"                Add a rule at the end
#
#     cat /etc/sysconfig/iptables       See the effective rules on a reboot
#
#     If you're reading this script and don't have a clue, check out the great
#     tutorial at:  http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
#
# IMPORTANT NOTE:
#       If you make changes to this file on a Windows box and then copy 
#       to a Linux box, you'll need to issue the following two commands:  
#         dos2unix fw.sh
#         chmod +x fw.sh
#
##############################################################################


clear
sel=
dialog \
 --title "Begin Building iptables" \
 --backtitle "Firewall Script - Bruce A. Westbrook" \
 --defaultno \
 --yesno "This script will backup and delete ALL of your current \
          iptables settings before applying a simple iptables. \
          By default, only SSH is allowed inbound.  If you need \
          other ports open, edit this script first. \
          Are you sure you want to continue?" 9 60
sel=$?
case $sel in
  0) echo "Script running...";;
  1) echo "Skipping script - no changes were made.";
     exit 0;;
  255) echo "[ESC] key pressed.  Skipping script - no changes were made.";
       exit 0;;
esac

#########################################
## Backup current iptables configuration 
## various ways - better safe then sorry!
#########################################

TIMESTAMP=`date +%Y-%m-%d@%H:%M:%S`
SAVEDIRECTORY=/etc/sysconfig/iptables-saved-configs

## Create saved directory
mkdir /etc/sysconfig/iptables-saved-configs

## Save the current iptables in memory
echo ########################### >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ## IPTABLES IN MEMORY >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ## iptables -vnL >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ########################### >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
iptables -vnL >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP

echo >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ########################### >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ## NAT TABLE IN MEMORY >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ## iptables -t nat -vnL >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ########################### >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
iptables -t nat -vnL >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP

echo >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ########################### >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ## MANGLE TABLE IN MEMORY >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ## iptables -t mangle -vnL >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo ########################### >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP
echo >> $SAVEDIRECTORY/iptables-memory.orig-$TIMESTAMP

## Save the current iptables from file
cp /etc/sysconfig/iptables $SAVEDIRECTORY/iptables.orig-$TIMESTAMP

## Save the last iptables save from file
cp /etc/sysconfig/iptables.save $SAVEDIRECTORY/iptables.save.file.orig-$TIMESTAMP

## Save the current running iptables
iptables-save > $SAVEDIRECTORY/iptables-save.command-$TIMESTAMP


#########################################
## Configure new iptables
#########################################

## Flush iptables from memory
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -Z

## Set default table responses 
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

## Allow packets that originate from our loopback interface
iptables -A INPUT -i lo -j ACCEPT

## Allow packets from established connections
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

## Allow ICMP packets
iptables -A INPUT -p ICMP -j ACCEPT

## SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


#########################################
## Other Examples - unremark and edit 
##                  as desired
#########################################

##SMTP
#iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

##HTTP
#iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

##HTTPS
#iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

## Specific source IP address for SNMP
#iptables -A INPUT -s 63.210.254.0/24 -p udp --dport 161 -j ACCEPT

##SSH port redirection
#iptables -t nat -A PREROUTING -p tcp --dport 2222 -j REDIRECT --to-port 22


#########################################
## Drop all remaining packets that don't match any rules
#########################################

iptables -A INPUT -j DROP


#########################################
## Save config and restart iptables
#########################################

service iptables save
service iptables start	

#########################################
## Final Information
#########################################

clear
echo " ****************************************************************"
echo " *                                                              *"
echo " *  Your original iptables configuration, from both files and   *"
echo " *  what was in memory, has been saved to                       *"
echo " *                                                              *"
echo " *       $SAVEDIRECTORY"
echo " *                                                              *"
echo " *  as the following files:                                     *"
echo " *                                                              *"
echo " *     - What was running in memory:                            *"
echo " *        iptables-memory.orig-$TIMESTAMP"
echo " *                                                              *"
echo " *     - What was in the startup file:                          *"
echo " *        iptables.orig-$TIMESTAMP"
echo " *                                                              *"
echo " *     - What was the last 'service iptables save' output:      *"
echo " *        iptables.save.file.orig-$TIMESTAMP"
echo " *                                                              *"
echo " *     - Current output from the 'iptables-save' command:       *"
echo " *        iptables-save.command-$TIMESTAMP"
echo " *                                                              *"
echo " ****************************************************************"
echo