#!/usr/bin/env bash

echo
echo "*** Configuring iptables ***"
echo

yum install -y iptables-services

systemctl stop    firewalld
systemctl disable firewalld
systemctl mask    firewalld
systemctl enable  iptables

sed -i /etc/sysconfig/iptables-config -e 's/^IPTABLES_MODULES=""/IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_tftp"/'

cat > /etc/sysconfig/iptables <<-EOF

# Generated by iptables-save v1.3.5 on Mon Jun  9 11:01:52 2008
*nat
:PREROUTING ACCEPT [1:60]
-A PREROUTING -p tcp -m tcp --dport ftps -j REDIRECT --to-ports ftp
:POSTROUTING ACCEPT [4:466]
:OUTPUT ACCEPT [4:466]
COMMIT
# Completed on Mon Jun  9 11:01:52 2008
# Generated by iptables-save v1.3.5 on Mon Jun  9 11:01:52 2008
*mangle
:PREROUTING ACCEPT [26:2130]
:INPUT ACCEPT [26:2130]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3174]
:POSTROUTING ACCEPT [26:3174]
COMMIT
# Completed on Mon Jun  9 11:01:52 2008
# Generated by iptables-save v1.3.5 on Mon Jun  9 11:01:52 2008
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
# Accept traffic from lo
-A INPUT -i lo -j ACCEPT
# Accept traffic from internal interfaces
#-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow ICE ssltcp connection to jitsi-videobridge
-A INPUT -p tcp -m tcp --dport 4443 -j ACCEPT
# Allow connections to our HTTP server
-A INPUT -p tcp -m tcp -m multiport --dports 80,443,10000 -j ACCEPT
# Allow connections to our FTP server 
-A INPUT -p tcp -m tcp -m multiport --dports ftp,ftp-data,ftps -j ACCEPT
# Allow connections to our FTP server 
-A INPUT -p udp -m udp -m multiport --dports ftp,ftp-data,ftps -j ACCEPT
# Allow connections to TFTP ports
-A INPUT -p tcp -m tcp --dport 69 -j ACCEPT
# Allow connections to TFTP ports
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
# Allow connections to SYSLOG ports
#-A INPUT -p udp -m udp --dport 514 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Allow connections to SIP and IAX signalling ports
-A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 5060,4569
# Allow connections to RTP ports
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
# Allow connections to UDPTL ports
-A INPUT -p udp -m udp --dport 4000:4999 -j ACCEPT
# Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
# Protect our MySQL server
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
# Protect our Asterisk Management Interface (AMI) port
-A INPUT -p tcp -m tcp --dport 5038 -j DROP
# Allow connections to unprivileged ports
-A INPUT -p tcp -m tcp --dport 49152:65534 -j ACCEPT
COMMIT
# Completed on Mon Jun  9 11:01:52 2008
EOF

systemctl restart iptables