#!/bin/sh

IPTABLES=/sbin/iptables
LIMIT=3

function setafter() {
	$IPTABLES -A INPUT -m limit --limit $LIMIT/sec -j REJECT --reject-with icmp-port-unreachable
	$IPTABLES -P INPUT DROP
	$IPTABLES -P FORWARD DROP
}

function setbefore() {
	$IPTABLES -F INPUT
	$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
	$IPTABLES -A INPUT -p icmp -j ACCEPT
	$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
	$IPTABLES -A INPUT -i lo -j ACCEPT
}

function setdefault() {
	setbefore;
	$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
	setafter;
}

function setforasterisk() {
	SUBNET=$(ip route list table main | grep "dev eth-lan" | grep "scope link" | awk '{print $1}')
	IP=$(ip address show dev eth-lan | grep "^\s*inet" | awk '{print $2}' | sed 's/\/.*$//')
	setbefore;
	$IPTABLES -A INPUT -p udp -m conntrack --ctstate RELATED -m helper --helper sip -j ACCEPT
	$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
	$IPTABLES -A INPUT -s "$SUBNET" -p udp -m udp --dport 5060 -m comment --comment VoIP -j ACCEPT
	$IPTABLES -t raw -F PREROUTING
	$IPTABLES -t raw -A PREROUTING -s "$SUBNET" -d "$IP" -p udp -m udp --dport 5060 -j CT --helper sip
	$IPTABLES -t raw -F OUTPUT
	$IPTABLES -t raw -A OUTPUT -p udp -m udp --sport 5060 -j CT --helper sip
	setafter;
}

function setforgw() {
	setbefore;
	$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
	$IPTABLES -F FORWARD
	$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j DROP
	$IPTABLES -A FORWARD -p icmp -j ACCEPT
	$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
	$IPTABLES -A FORWARD -m limit --limit $LIMIT/sec -j REJECT --reject-with icmp-port-unreachable
	setafter;
}

function setformail() {
	setbefore;
	$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
	$IPTABLES -A INPUT -p tcp -m multiport --dports 25,465,587 -m comment --comment SMTP -j ACCEPT
	$IPTABLES -A INPUT -p tcp -m multiport --dports 110,143,993,995 -m comment --comment "POP and IMAP" -j ACCEPT
	setafter;
}

function setforweb() {
	setbefore;
	$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
	$IPTABLES -A INPUT -p tcp -m multiport --dports 80,443 -m comment --comment WEB -j ACCEPT
	setafter;
}

function setfor1csrv() {
	setbefore;
	$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
	$IPTABLES -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 1540 -m comment --comment "1C ragent" -j ACCEPT
	setafter;

	$IPTABLES -N 1CSRV
	$IPTABLES -A 1CSRV -p tcp --dport 1541 -j ACCEPT -m comment --comment "1C rmngr"
	$IPTABLES -A 1CSRV -p tcp --dport 1560:1591 -j ACCEPT -m comment --comment "1C rphost"
}

echo "This script will initialize the firewall."
echo "Types of server:"
echo "	1) Web (80, 443)"
echo "	2) Mail (25,110,143,465,993,995)"
echo "	3) Gw"
echo "	4) Asterisk"
echo "	5) 1CSrv (new chain 1CSRV)"
echo "	*) Only SSH"
read -p "Select the type of server: " -r

case "$REPLY" in
	1) setforweb ;;
	2) setformail ;;
	3) setforgw ;;
	4) setforasterisk ;;
	5) setfor1csrv ;;
	*) setdefault ;;
esac

