rulefile=$(mktemp)

addrule() {
  while [ $# -gt 0 ] ; do
    #if echo "$1" | grep -q ' '  ; then
    if [ "${1% *}" != "$1" ] ; then
      echo -n "\"$1\""
    else
      echo -n "$1"
    fi
    [ $# -gt 1 ] && echo -n " "
    shift
  done >> $rulefile
  echo >> $rulefile
}

addrule "*filter"

# Forward traffic between vpn and local network.
addrule -A FORWARD -i eth1 -o tap+ -j ACCEPT
addrule -A FORWARD -i tap+ -o eth1 -j ACCEPT

# Ensure multicast works over local and vpn interfaces
addrule -A INPUT -i eth1 -s 224.0.0.0/4 -j ACCEPT
addrule -A INPUT -i tap+ -s 224.0.0.0/4 -j ACCEPT

# Permit any traffic on private net
addrule -A INPUT -i eth1 -j ACCEPT
addrule -A INPUT -i tap+ -j ACCEPT
addrule -A INPUT -i lo -j ACCEPT

# Reject private addresses from internet link
for network in 10.0.0.0/8 192.168.0.0/16 172.16.0.0/20 127.0.0.0/8 ; do
  addrule -A INPUT -i eth0 -s $network -j DROP
done

# Configure connection tracking for stateful firewalling
CONNTRACK_RULE="-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"

# Check existing rules for our conntrack rule.
if iptables-save | grep -q -F -- "$CONNTRACK_RULE" ; then
  CONNTRACK_ENABLED=1
else
  CONNTRACK_ENABLED=0
fi

addrule $CONNTRACK_RULE

# Allow SNMP
addrule -A INPUT -p udp -m udp --dport 161 -j ACCEPT           # SNMP

# Managed hosting access addresses (where our vendors come in from)
for addr in 69.25.104.183 74.201.179.101 67.221.32.32/27; do
  addrule -A INPUT -p udp -m udp -s $addr --dport 161 -j ACCEPT   # SNMP
  # dell open manage
  addrule -A INPUT -i eth0 -p tcp -m tcp -s $addr --dport 1311 -j ACCEPT 
done

if [ "$CONNTRACK_ENABLED" -eq 1 ] ; then
  TCPFLAGS="--syn"
else
  TCPFLAGS=""
fi

addrule -A INPUT -p icmp -j ACCEPT                                 # ICMP
addrule -A INPUT -p tcp -m tcp --dport 22 $TCPFLAGS -j ACCEPT      # SSH
addrule -A INPUT -p tcp -m tcp --dport 80 $TCPFLAGS -j ACCEPT      # http
addrule -A INPUT -p tcp -m tcp --dport 443 $TCPFLAGS -j ACCEPT     # https
addrule -A INPUT -p udp -m udp --dport 1200 -j ACCEPT              # s2svpn (openvpn)
addrule -A INPUT -p tcp -m tcp --dport 1200 -j ACCEPT              # s2svpn (openvpn)

# Drop things we know we don't want to log.
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j DROP      # ftp
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 23 -j DROP      # telnet
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j DROP      # smtp
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 110 -j DROP     # pop3
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 111 -j DROP     # rpcbind
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 135 -j DROP     # windows dcom?
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 137 -j DROP     # netbios
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j DROP     # imap
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 445 -j DROP     # microsoft-ds
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 465 -j DROP     # smtps
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 873 -j DROP     # rsync
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 993 -j DROP     # imaps
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 995 -j DROP     # pop3s
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 1080 -j DROP    # socks proxy
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j DROP    # mysql
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 3389 -j DROP    # rdesktop
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 4949 -j DROP    # munin tcp
addrule -A INPUT -i eth0 -p udp -m udp --dport 4949 -j DROP    # munin udp
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 5666 -j DROP    # NRPE
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 8009 -j DROP    # hudson
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 9999 -j DROP    # hive HWI
addrule -A INPUT -i eth0 -p tcp -m tcp --dport 11211 -j DROP   # memcached

# Log things we are dropping if we get this far in the rules.
addrule -A INPUT -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level debug
addrule -A INPUT -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level debug
addrule -A INPUT -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level debug

addrule -P INPUT DROP
addrule -P FORWARD DROP
addrule -P OUTPUT ACCEPT

addrule COMMIT

(
  if iptables-restore -t $rulefile ; then
    echo "iptables restore test successful, applying rules..."
    cat $rulefile
    iptables-restore -v $rulefile
    sysctl net.ipv4.netfilter.ip_conntrack_max=1048576
    rm $rulefile
  else
    "iptables test failed. Rule file:" >&2
    echo "---" >&2
    cat $rulefile >&2
    rm $rulefile
    exit 1
  fi
) | logger -s -t $0