#!/bin/sh

IPTABLES="$(which iptables)"
WAN="eth0"
LAN="eth1"


echo "Creazione firewall.."
echo "Pulizia tabelle.."

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

echo "Applico policy default"

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

echo "Abilito il traffico locale"

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT


echo "Applico regole personali"

#accetto solo connessioni in ingresso e in transito relative a connessioni preesistenti o ad esse correlate
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#accetto i ping solo per le interfacce di loopback e wan
$IPTABLES -A INPUT -p icmp -i lo -j ACCEPT
$IPTABLES -A INPUT -p icmp -i $WAN -j ACCEPT

#accetto connessioni ssh in ingresso sulla porta 22 (standard
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#accetto connessioni in ingresso sulla porta 80 (HTTP-WEB standard)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

#accetto le richieste DHCP
$IPTABLES -A INPUT -p udp -m multiport --dports 67,68 -i $LAN -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport --dports 67,68 -i $LAN -o $LAN -j ACCEPT

#accetto il traffico DNS
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --sport 53 --dport 53 -i $LAN -o $LAN -j ACCEPT

#abilito il NAT
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

#abilito l'ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "Firewall creato!"