#!/bin/bash
# INPUT Chain (incoming ports)

# All packet verification
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP			# Drop invalid packets
ip6tables -I INPUT -m conntrack --ctstate INVALID -j DROP			# Drop invalid packets
iptables -I INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT	# No constant icmp packets
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP				# Block null packets
ip6tables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP				# Block null packets
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP			# Block syn floods
ip6tables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP			# Block syn floods

# Cross-server free networking
iptables -A INPUT -m multiport -p tcp --dports 7946,2377 -i ens10 -j ACCEPT
ip6tables -A INPUT -m multiport -p tcp --dports 7946,2377 -i ens10 -j ACCEPT
iptables -A INPUT -m multiport -p udp --dports 7946,4789 -i ens10 -j ACCEPT
ip6tables -A INPUT -m multiport -p udp --dports 7946,4789 -i ens10 -j ACCEPT

# Allow forwarding of existing connections
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Services
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 51820 -j ACCEPT
ip6tables -A INPUT -p udp --dport 51820 -j ACCEPT

# Private services on docker
iptables -A DOCKER-USER -i eth0 -p tcp -m multiport --dports 5000,7050,9050,2112,4242,10113,15244,43110 -j DROP
#ip6tables -A DOCKER-USER -i eth0 -p tcp -m multiport --dports 5000,9050,2112,4242,10113,43110 -j DROP # No IPv6 docker rules are available

# Special Rules
iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT		# Keep existing connections open
ip6tables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT		# Keep existing connections open
iptables -I INPUT 1 -i lo -j ACCEPT						# Loopback connections
ip6tables -I INPUT 1 -i lo -j ACCEPT						# Loopback connections

# DEFAULT RULES # Apply at end, first set whitelisted connections
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD ACCEPT							# TODO: Should be drop but it needs configuration
ip6tables -P FORWARD ACCEPT							# TODO: Should be drop but it needs configuration
iptables -P OUTPUT ACCEPT							# Allow all outbound connections
ip6tables -P OUTPUT ACCEPT							# Allow all outbound connections