#!/usr/bin/env bash
#
# v0.1
ipt=$(which iptables)

# Clear all rules
$ipt -F
$ipt -X


# Default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

# Create a logging chain
$ipt -N LOGDROP

# allow loopback communication
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

# Block bad people
#$ipt -I INPUT -s x.x.x.x -j DROP

# Allowing wanted ports
$ipt -A INPUT -p tcp -m multiport --dports 25,80 -j ACCEPT

# Allow SSH only from trusted networks
$ipt -A INPUT -p tcp -s 80.243.211.96/28 --dport 22 -j ACCEPT	# Acceleris
$ipt -A INPUT -p tcp -s 212.60.32.0/19 --dport 22 -j ACCEPT	# Quickline
$ipt -A INPUT -p tcp -s 89.236.128.0/18 --dport 22 -j ACCEPT	# Quickline
$ipt -A INPUT -p tcp -s 83.76.0.0/14 --dport 22 -j ACCEPT	# Swisscom	
$ipt -A INPUT -p tcp -s 188.60.0.0/14 --dport 22 -j ACCEPT	# Swisscom
$ipt -A INPUT -p tcp -s 213.0.0.0/8 --dport 22 -j ACCEPT	# Orange
$ipt -A INPUT -p tcp -s 84.72.0.0/14 --dport 22 -j ACCEPT	# Cablecom
# Logs all SSH traffic from unlisted networks
$ipt -A LOGDROP -m limit -p tcp --dport 22 --limit 3/s --limit-burst 10 -j LOG --log-prefix "#fw SSH block: "
$ipt -A LOGDROP -j DROP

$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# this logs the specified rule:
#$IPT -A INPUT -p icmp -j LOG --log-level 4 --log-prefix '[PING DROP  ] '