#!/bin/sh
SERVER_IP=111.111.111.111
ADMIN_IP=222.222.222.222
IPTABLES=/sbin/iptables

# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable.  These rules apply if a more
# specific rule below is not applicable.  Defaults are to DROP anything
# sent to firewall or internal network, permit anything going out.
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Flush (-F) all specific rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

# Permit packets in to firewall itself that are part of existing and
# related connections.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

# Deny any packet coming in on the public internet interface eth0
# which has a spoofed source address from our local networks:
iptables -A INPUT -i eth0 -s $SERVER_IP/32 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

# Accept all tcp SYN packets for protocols SMTP:
# (SMTP connections are further audited by our SMTP server)
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port smtp --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port smtps --syn -j ACCEPT

# Accept HTTP, HTTPS, POP3, POP3S
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port http --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port https --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port pop3 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port pop3s --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port poppassd --syn -j ACCEPT

# IMAP Entry
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port imap --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port imaps --syn -j ACCEPT

# Plesk Custom Control Panel
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 8443 --syn -j ACCEPT

# SSH should only b accepted from SBCTEC
iptables -A INPUT -p tcp -s $ADMIN_IP/32 -d $SERVER_IP/32 --destination-port ssh --syn -j ACCEPT

# Permit my DNS server to honor requests from the public internet:
iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port domain -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port domain -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port rndc --syn -j ACCEPT

# For FTP server, restricted to specific local hosts (and see /etc/xinetd.conf):
# iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port ftp-data --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port ftp --syn -j ACCEPT
# Use the IANA registered ephemeral port range
# Note: ProFTPd needs to be configured to use this particular port range
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 49152:65534 --syn -j ACCEPT

# Miscellaneous $H!T that I don't know what it does yet.
# iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port ipp --syn -j ACCEPT
# iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port sunrpc --syn -j ACCEPT

# MySQL Ports
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port mysql --syn -j ACCEPT

# Deny Everything else
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

# Save Configuration
service iptables save

# Restart Configuration
service iptables restart
service iptables status