#!/bin/bash

### BEGIN INIT INFO
# Provides:          iptables firewall script
# Required-Start:    $remote_fs $syslog $network
# Required-Stop:     $remote_fs $syslog $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: firewall initscript
# Description:       Easy Debian iptables Firewall Script
#                    base script written by www.gargi.org
#                    add extend modified by www.flurweg.net
### END INIT INFO

BLACKLIST=/etc/firewall/blacklist.txt        # one IP per line: 64.93.17.0/24
COUNTRYS=/etc/firewall/zones                 # path for downloaded zone files

#*******************************************************************************************************
# Ping
IN_ALLOWED_ICMP="yes"
OUT_ALLOWED_ICMP="yes"

# Ports inbound
IN_ALLOWED_TCP="21 22 25 80 443"
IN_ALLOWED_UDP=""

# Ports outbound
OUT_ALLOWED_TCP="21 22 25 53 80 443 1024:1033"
OUT_ALLOWED_UDP="53 123"

# Ports inbound from IP-Range, TCP
IN_ALLOWED_TCP_RANGE=(
"110 192.168.0.1/24"
"110 192.168.32.0/28"
#"443 194.108.32.0/28"
#"8080 192.168.0.1/24"
)

# Ports inbound from IP-Range, UDP
IN_ALLOWED_UDP_RANGE=(
#"1900 192.168.0.143/32"
)

# All Ports (from/to) IP
IP_ALLOWED_ALL=(
"192.168.0.176/32"
"192.168.0.177/32"
)

# Country blocking | Required: ipset | see available lists: http://www.ipdeny.com/ipblocks/
#IN_BLOCK_COUNTRYS="cn ru"
#*******************************************************************************************************

#-------------------------------------------------------------------------------------------------------
# Install:
#  Download        wget http://www.flurweg.net/linux/debian/tips/firewall.txt -O /etc/init.d/firewall
#  SetRights       chmod +x /etc/init.d/firewall
#  EnableDaemon    update-rc.d firewall defaults
#  AliasCommand1   echo "alias fw='/etc/init.d/firewall'" >> /root/.bashrc
#  AliasCommand2   echo "alias fwe='nano /etc/init.d/firewall'" >> /root/.bashrc
#  ReloadAliases   . /root/.bashrc
#  Then edit your allowed Ports, Ranges.. and reload configuration with command "fw reload"
#
#  Since 1.8.1 by default the nf_tables backend is used instead of the xtables backend.
#  See NEWS.Debian: https://sources.debian.org/src/iptables/1.8.1-2/debian/NEWS/
#  You can try switching to the legacy mode with the following command (assuming Debian):
#  update-alternatives --set iptables /usr/sbin/iptables-legacy
#-------------------------------------------------------------------------------------------------------

# Check ipset when country enabled
if [ ! -z "$IN_BLOCK_COUNTRYS" ]; then
  # Check is a openvz vm
  if [ -d "/proc/vz" ]; then
    echo "you can not run <ipset> on a openvz machine, no access to kernel."
    exit 0
  fi
  if [ ! -f "/sbin/ipset" ] && [ ! -f "/usr/sbin/ipset" ]; then
    echo "you must install <ipset> before you can country block !"
    echo "apt-get install ipset"
    exit 0
  fi
fi

# Main
case "$1" in
   start)
      # Clear iptables
      iptables -F

      #Defaults
      iptables -P INPUT DROP
      iptables -P OUTPUT DROP
      iptables -P FORWARD DROP

      # loopback communication
      iptables -A INPUT -i lo -j ACCEPT
      iptables -A OUTPUT -o lo -j ACCEPT

      # persist on connections
      iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

      # Ban blacklisted Countrys
      if [ ! -z "$IN_BLOCK_COUNTRYS" ]; then
        for zone in $IN_BLOCK_COUNTRYS; do
          if ipset list $zone >/dev/null 2>&1; then
            BCL="$BCL $zone"
            iptables -A INPUT -p tcp -m set --match-set $zone src -j DROP
          else
            echo -e "Disabled Countrys: \e[31m$zone\e[0m not exist ! (you must start $0 cu)"
          fi
        done
        if [ ! -z "$BCL" ]; then
          BCL=$(echo $BCL | sed 's/^ //')
          echo "Blocking Countrys: $BCL"
        fi
      else
        echo "No Country Blocklist defined"
      fi

      # Ban blacklisted IPs
      if [ -f $BLACKLIST ]; then
        for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
          echo "Blocking IP: $x"
          iptables -A INPUT -t filter -s $x -j DROP
        done
      else
        echo "No Blocklist available"
      fi

      # ICMP rules in
      if [ "$IN_ALLOWED_ICMP" = "yes" ]; then
        echo "Allow Ping inbound"
        iptables -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
      else
        echo "Block Ping inbound"
        iptables -I INPUT -j DROP -p icmp --icmp-type echo-request
      fi

      # ICMP rules out
      if [ "$OUT_ALLOWED_ICMP" = "yes" ]; then
        echo "Allow Ping outbound"
        iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
      else
        echo "Block Ping outbound"
        iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
      fi

      echo -n "TCP  inbound ports:  "
      # TCP rules in
      for port in $IN_ALLOWED_TCP; do
        echo -n "| $port "
        iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT
      done

      # TCP rules in (ip range)
      for portrange in "${IN_ALLOWED_TCP_RANGE[@]}"; do
                IFS=' ' read port range <<< $portrange
        echo -n "| $port from $range "
        iptables -A INPUT -t filter -s $range -p tcp --dport $port -j ACCEPT
      done

      echo "" && echo -n "TCP outbound ports:  "
      # TCP rules out
      for port in $OUT_ALLOWED_TCP; do
        echo -n "| $port "
        iptables -A OUTPUT -t filter -p tcp --dport $port -j ACCEPT
      done

      echo "" && echo -n "UDP  inbound ports:  "
      # UDP rules in
      for port in $IN_ALLOWED_UDP; do
        echo -n "| $port "
        iptables -A INPUT -t filter -p udp --dport $port -j ACCEPT
      done

      # UDP rules in (ip range)
      for portrange in "${IN_ALLOWED_UDP_RANGE[@]}"; do
                IFS=' ' read port range <<< $portrange
        echo -n "| $port from $range "
        iptables -A INPUT -t filter -s $range -p udp --dport $port -j ACCEPT
      done

      echo "" && echo -n "UDP outbound ports:  "
      # UDP rules out
      for port in $OUT_ALLOWED_UDP; do
        echo -n "| $port "
        iptables -A OUTPUT -t filter -p udp --dport $port -j ACCEPT
      done

      echo "" && echo -n "ALL Ports From/To :  "
      # IP Allowed ALL Ports
      for iprange in "${IP_ALLOWED_ALL[@]}"; do
                IFS=' ' read range <<< $iprange
        echo -n "| $range "
	iptables -I INPUT -p ALL -s $range -j ACCEPT
	iptables -I OUTPUT -p ALL -d $range -j ACCEPT
      done
      echo ""

      # Dropping startup requests
      iptables -A INPUT -t filter -p tcp --syn -j DROP

      ;;
   rules)
      iptables -L -v
      ;;
   cu)
      [ ! -d $COUNTRYS ] && mkdir -p $COUNTRYS
      echo "Download (or update) country zones.."
      wget -N http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz -P $COUNTRYS
      echo "Extract zone files.."
      tar -xzf $COUNTRYS/all-zones.tar.gz -C $COUNTRYS
      if [ ! -z "$IN_BLOCK_COUNTRYS" ]; then
        for zone in $IN_BLOCK_COUNTRYS; do
          if [ -f "$COUNTRYS/$zone.zone" ]; then
            if iptables -L | grep "match-set $zone" >/dev/null 2>&1; then
              echo -e "\e[31myou can not newcreate a loaded ipset, stop firewall before country update\e[0m"
              exit
            else
              ipset destroy $zone >/dev/null 2>&1
              ipset create $zone hash:net
              for i in $(cat "$COUNTRYS/$zone.zone" ); do ipset -A $zone $i; done
              echo -e "Country Zone generated: \e[32m$zone\e[0m"
            fi
          else
            echo -e "Country Zone not exist: \e[91m$zone\e[0m"
          fi
        done
      else
        echo "No Country Blocklist defined"
      fi
      ;;
   stop)
      iptables -F
      iptables -P INPUT ACCEPT
      iptables -P OUTPUT ACCEPT
      echo -e "\e[31mWarning! Firewall is stopped, server is unprotected now!\e[0m"
      ;;
   reload)
      $0 start
      ;;
   restart)
      $0 stop
      sleep 1
      $0 start
      ;;
      *)
      echo "Usage $0 {start|stop|reload|restart|rules|cu}"
      ;;
esac