#!/bin/bash

# The name of the main external interface.
EX_IF="enp11s0"


start_firewall() {
  # Flush old rules.
  iptables -F
  ip6tables -F
  iptables -t nat -F
  ip6tables -t nat -F
  iptables -t mangle -F
  ip6tables -t mangle -F

  # Delete any custom chains.
  iptables -X
  ip6tables -X
  iptables -t nat -X
  ip6tables -t nat -X
  iptables -t mangle -X
  ip6tables -t mangle -X

  # Allow all loopback traffic.
  iptables -A INPUT -i lo -j ACCEPT
  ip6tables -A INPUT -i lo -j ACCEPT

  # Drop invalid packets on all interfaces.
  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

  # Allow packets of established connections and those related to them.
  iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

  # Allow pings.
  iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

  # Allow certain types of ICMP informational packets.
  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT

  # Allow SSH.
  iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 22 -m conntrack --ctstate NEW -j ACCEPT
  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 22 -m conntrack --ctstate NEW -j ACCEPT

  # Set default policies.
  iptables -P INPUT DROP
  ip6tables -P INPUT DROP
  iptables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
  ip6tables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
  iptables -P FORWARD DROP
  ip6tables -P FORWARD DROP
}

stop_firewall() {
  # Set default policies to ACCEPT.
  iptables -P INPUT ACCEPT
  ip6tables -P INPUT ACCEPT
  iptables -P OUTPUT ACCEPT
  ip6tables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  ip6tables -P FORWARD ACCEPT

  # Flush rules.
  iptables -F
  ip6tables -F
  iptables -t nat -F
  ip6tables -t nat -F
  iptables -t mangle -F
  ip6tables -t mangle -F

  # Delete any custom chains.
  iptables -X
  ip6tables -X
  iptables -t nat -X
  ip6tables -t nat -X
  iptables -t mangle -X
  ip6tables -t mangle -X
}


case "$1" in
  'start')
      start_firewall
    ;;
  'stop')
      stop_firewall
    ;;
  'restart')
      stop_firewall
      start_firewall
    ;;
  *)
    echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
    ERR=1
    ;;
esac