#!/bin/bash
# @(#)(CAcert) $Id: firewall,v 1.4 2013/12/17 15:31:07 root Exp $
IP=/usr/sbin/iptables
# cleanup
$IP -F
$IP -X
$IP -F -t nat
$IP -X -t nat
$IP -F -t mangle
$IP -X -t mangle

# To easy the system
$IP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow DNS resolver
$IP -A OUTPUT -p udp -d 172.28.50.2 --dport 53 -j ACCEPT
$IP -A OUTPUT -p tcp -d 172.28.50.2 --dport 53 -j ACCEPT
$IP -A OUTPUT -p udp -d 172.28.50.3 --dport 53 -j ACCEPT
$IP -A OUTPUT -p tcp -d 172.28.50.3 --dport 53 -j ACCEPT

# root can disable this firewall, so don't be stupid
$IP -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
grep -v ^# /etc/firewall/allowedto|while read -r name uid dests
do
  for dest in $dests
  do
    $IP -A OUTPUT -m owner --uid-owner $uid -d $dest -j LOG --log-prefix "user:${name} : "
    $IP -A OUTPUT -m owner --uid-owner $uid -d $dest -j ACCEPT
  done
done

# reject all the rest for outgoing
$IP -A OUTPUT -j LOG --log-prefix "output: "
$IP -A OUTPUT -j REJECT

# who can enter at port 22?
grep -v ^# /etc/firewall/allowedfrom|while read -r name froms
do
  for from in $froms
  do
    $IP -A INPUT -p tcp --dport 22 -s $from -j LOG --log-prefix "user:${name} : "
    $IP -A INPUT -p tcp --dport 22 -s $from -j ACCEPT
  done
done

# this is the log server we allow some logging (and we don't log that we log)
$IP -A INPUT -p udp --dport 514 -j ACCEPT
$IP -A INPUT -p tcp --dport 514 -j ACCEPT

# DROP everything from the internets
$IP -P INPUT DROP
# reject nicely to speedup local errors
$IP -P OUTPUT DROP
# DROP stuff we don't want to do
$IP -P FORWARD DROP