#!/bin/sh
#
#IPTABLES=/sbin/iptables

#  Unless specified, the defaults for OUTPUT is ACCEPT
#    The default for FORWARD and INPUT is DROP 
#
echo "   clearing any existing rules and setting default policy.."
iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -s 116.110.0.0/16 -j REJECT
iptables -A INPUT -s 64.95.101.43 -j REJECT
## the first rule here is for the NFS mount from the dev server #
## iptables -A INPUT -s 10.8.5.67 -j ACCEPT 
## above rule not needed or useful on dev server as this is the dev server IP
## BUT we do want to allow all traffic from the original web server for now
iptables - A INPUT -s 10.8.3.35 -j ACCEPT

# Now the other needed rules
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 444 -j ACCEPT
# Couchdb access rules
iptables -A INPUT -p tcp -m tcp -s 10.8.5.0/24 --dport 5984 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 10.8.6.0/24 --dport 5984 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 10.80.1.0/24 --dport 5984 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 10.80.2.0/24 --dport 5984 -j ACCEPT
# time server port rule
iptables -A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
# Administrative access - Grand Island and Omaha
iptables -A INPUT -p tcp -m tcp -s 69.20.200.19 --dport 20:22 -j ACCEPT
#FTP is needed from any location as it is required for vending machine access
iptables -A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7000:7500 -j ACCEPT

# Open up PCs for Mike Mays and David Whitley
## The ONLY IP block needed according to Jason is the one that is uncommented ##
iptables -A INPUT -s 10.8.5.0/24 -j ACCEPT
#iptables -A INPUT -s 10.8.7.0/24 -j ACCEPT
#iptables -A INPUT -s 10.8.125.0/24 -j ACCEPT
#iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
#iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT

# Gisnetwork17
iptables -A INPUT -s 10.8.2.61 -j ACCEPT
iptables -A INPUT -s 10.80.1.0/24 -j ACCEPT

# Local P21 box access
iptables -A INPUT -s 10.8.3.1 -j ACCEPT

# UPS Worldship
iptables -A INPUT -p tcp -m tcp -s 10.8.9.2 --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 12.189.113.58 --dport 5432 -j ACCEPT # Shannon VPN
iptables -A INPUT -p tcp -m tcp -s 172.28.249.0/24 --dport 5432 -j ACCEPT # Shannon VPN

iptables -A INPUT -p tcp -m tcp -s 10.80.2.0/24 --dport 5984 -j ACCEPT
# time server port rule
iptables -A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
# Administrative access - Grand Island and Omaha
iptables -A INPUT -p tcp -m tcp -s 69.20.200.19 --dport 20:22 -j ACCEPT
#FTP is needed from any location as it is required for vending machine access
iptables -A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7000:7500 -j ACCEPT

# Open up PCs for Mike Mays and David Whitley
## The ONLY IP block needed according to Jason is the one that is uncommented ##
iptables -A INPUT -s 10.8.5.0/24 -j ACCEPT
#iptables -A INPUT -s 10.8.7.0/24 -j ACCEPT
#iptables -A INPUT -s 10.8.125.0/24 -j ACCEPT
#iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
#iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT

# Gisnetwork17
iptables -A INPUT -s 10.8.2.61 -j ACCEPT
iptables -A INPUT -s 10.80.1.0/24 -j ACCEPT

# Local P21 box access
iptables -A INPUT -s 10.8.3.1 -j ACCEPT 

# UPS Worldship
iptables -A INPUT -p tcp -m tcp -s 10.8.9.2 --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 12.189.113.58 --dport 5432 -j ACCEPT # Shannon VPN 
iptables -A INPUT -p tcp -m tcp -s 172.28.249.0/24 --dport 5432 -j ACCEPT # Shannon VPN 

## If you need the rest of the local network to have access-remark out the 
## line above and remove the remark below and restart iptables
#iptables -A INPUT -s 10.8.0.0/17 -j ACCEPT
# P21 access is necessary - rule below line
# we have some customers that need ftp to this machine
## if the below rules do not adequately allow ftp, then allow all from those
## ip's-see P21 rule above
## FTP is allowed from everywhere - no need for a special rule - see above
#iptables -A INPUT -p tcp -m tcp -s 12.21.78.126 --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 10.8.3.50 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 172.28.249.0/24 --dport 22 -j ACCEPT

## HTTP and HTTPS are allowed from everywhere - no need for a special rule - see above ##
#iptables -A INPUT -p tcp -m tcp -s 172.28.249.0/24 --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp -s 172.28.249.0/24 --dport 443 -j ACCEPT

## See global rule - FTP is allowed from everywhere - no need for a special rule
#iptables -A INPUT -p tcp -m tcp -s 204.155.96.2 --dport 20:21 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 69.20.200.19 -j ACCEPT

# Open SQL Server access?
iptables -A INPUT -p tcp -m tcp -s 10.8.2.62       --dport 1024:5000 -j ACCEPT
#iptables -A INPUT -p udp -m udp -s 10.8.2.62       --dport 1024:5000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 10.8.2.62       --dport 5432 -j ACCEPT
#iptables -A INPUT -p udp -m udp -s 10.8.2.62       --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 10.8.2.61       --dport 5432 -j ACCEPT
#iptables -A INPUT -p udp -m udp -s 10.8.2.61       --dport 5432 -j ACCEPT

# Old P21 server
iptables -A INPUT -p tcp -m tcp -s 10.8.2.84       --dport 5432 -j ACCEPT
#iptables -A INPUT -p udp -m udp -s 10.8.2.84       --dport 5432 -j ACCEPT

# New P21 server
iptables -A INPUT -p tcp -m tcp -s 10.80.2.1        --dport 5432 -j ACCEPT

iptables -A INPUT -p tcp -m tcp -s 10.8.2.44       --dport 5432 -j ACCEPT


#The following 6 entries are for dns resolution
# local dns
iptables -A INPUT -p udp -m udp -s 10.8.2.10 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 10.8.2.10 --dport 53 -d 0/0 -j ACCEPT
# open dns
iptables -A INPUT -p udp -m udp -s 208.67.222.222 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 208.67.222.222 --dport 53 -d 0/0 -j ACCEPT
# google dns
iptables -A INPUT -p udp -m udp -s 8.8.8.8 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 8.8.8.8 --dport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# turn on this logging feature if you think something bad is happening
# logs to syslog
#iptables -A INPUT -j LOG --log-prefix "FIREWALL-bad input:"
# turn off explicit congestion notification
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
        echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# protect against spoofed packets
for x in lo eno1
do
	echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done

# Save the rules so that when the server restarts they start with the rules in tact
/usr/sbin/service iptables save