#!/bin/sh

start() {
    /bin/echo -n "Configure iptables:start ... " 

    # Remove any old rules
    /usr/sbin/iptables -t filter -F
    /usr/sbin/iptables -t nat -F
    /usr/sbin/iptables -t mangle -F
    /usr/sbin/iptables -t filter -X
    /usr/sbin/iptables -t nat -X
    /usr/sbin/iptables -t mangle -X

    /usr/sbin/ip6tables -t filter -F
    /usr/sbin/ip6tables -t mangle -F
    /usr/sbin/ip6tables -t filter -X
    /usr/sbin/ip6tables -t mangle -X

    # Default policies
    /usr/sbin/iptables -t filter -P INPUT DROP
    /usr/sbin/iptables -t filter -P FORWARD ACCEPT
    /usr/sbin/iptables -t filter -P OUTPUT ACCEPT
    /usr/sbin/iptables -t nat -P OUTPUT ACCEPT
    /usr/sbin/iptables -t nat -P PREROUTING ACCEPT
    /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
    /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
    /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT

    # IPv6 DROP
    /usr/sbin/ip6tables -t filter -P INPUT DROP
    /usr/sbin/ip6tables -t filter -P FORWARD DROP
    /usr/sbin/ip6tables -t filter -P OUTPUT DROP

    # Unrestricted loopback interface IPv4 and IPv6
    /usr/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
    /usr/sbin/ip6tables -t filter -A INPUT -i lo -j ACCEPT
    /usr/sbin/ip6tables -t filter -A OUTPUT -o lo -j ACCEPT

    # Allow ping
    /usr/sbin/iptables -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

    # Allow sessions already established
    /usr/sbin/iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    # Allow services for (eth0) - SSH
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.69 -p tcp --dport 22 --sport 1024:65535 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "SSH "
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.69 -p tcp --dport 22 --sport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for (eth2) - SSH
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.0/24 -d 192.168.2.69 -p tcp --dport 22 --sport 1024:65535 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "SSH "
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.0/24 -d 192.168.2.69 -p tcp --dport 22 --sport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for LAN(eth0) - DNS
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.69 -p udp --dport 53 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "DNS "
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.69 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for LAN(eth0) - NTP
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.69 -p udp --dport 123 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "NTP "
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.69 -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for LAN(eth1) - DNS
    /usr/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.1.0/24 -d 192.168.1.111 -p udp --dport 53 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "DNS "
    /usr/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.1.0/24 -d 192.168.1.111 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for LAN(eth1) - NTP
    /usr/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.1.0/24 -d 192.168.1.111 -p udp --dport 123 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "NTP "
    /usr/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.1.0/24 -d 192.168.1.111 -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for LAN(eth2) - DNS
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.0/24 -d 192.168.2.69 -p udp --dport 53 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "DNS "
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.0/24 -d 192.168.2.69 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for LAN(eth2) - NTP
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.0/24 -d 192.168.2.69 -p udp --dport 123 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "NTP "
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.0/24 -d 192.168.2.69 -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for LAN(eth3) - DNS
    /usr/sbin/iptables -t filter -A INPUT -i eth3 -s 172.16.1.0/24 -d 172.16.1.2 -p udp --dport 53 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "DNS "
    /usr/sbin/iptables -t filter -A INPUT -i eth3 -s 172.16.1.0/24 -d 172.16.1.2 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for LAN(eth3) - NTP
    /usr/sbin/iptables -t filter -A INPUT -i eth3 -s 172.16.1.0/24 -d 172.16.1.2 -p udp --dport 123 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "NTP "
    /usr/sbin/iptables -t filter -A INPUT -i eth3 -s 172.16.1.0/24 -d 172.16.1.2 -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT



    # Restrict the number of parallel connections to a server per client IP address (or client address block)
    /usr/sbin/iptables -t filter -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j DROP
    # Allow services for any - HTTP
    /usr/sbin/iptables -t filter -A INPUT -p tcp --dport 80 --sport 1024:65535 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "HTTP "
    /usr/sbin/iptables -t filter -A INPUT -p tcp --dport 80 --sport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT

    # Restrict the number of parallel connections to a server per client IP address (or client address block)
    /usr/sbin/iptables -t filter -A INPUT -p tcp --syn --dport 90 -m connlimit --connlimit-above 50 -j DROP
    # Allow services for any - WebSocket
    /usr/sbin/iptables -t filter -A INPUT -p tcp --dport 90 --sport 1024:65535 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "WebSocket "
    /usr/sbin/iptables -t filter -A INPUT -p tcp --dport 90 --sport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT

    # Restrict the number of parallel connections to a server per client IP address (or client address block)
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -p tcp --syn --dport 2404 -m connlimit --connlimit-above 50 -j DROP
    # Allow services for (eth0) - IEC104
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.25 -d 192.168.0.69 -p tcp --dport 2404 --sport 1024:65535 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "IEC104 "
    /usr/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.25 -d 192.168.0.69 -p tcp --dport 2404 --sport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT

    # Restrict the number of parallel connections to a server per client IP address (or client address block)
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -p tcp --syn --dport 2404 -m connlimit --connlimit-above 50 -j DROP
    # Allow services for (eth2) - IEC104
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.1 -d 192.168.2.69 -p tcp --dport 2404 --sport 1024:65535 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "IEC104 "
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.1 -d 192.168.2.69 -p tcp --dport 2404 --sport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT

    # Allow services for (eth2) - IEC104
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.2 -d 192.168.2.69 -p tcp --dport 2404 --sport 1024:65535 -m conntrack --ctstate NEW -j LOG --log-level info --log-prefix "IEC104 "
    /usr/sbin/iptables -t filter -A INPUT -i eth2 -s 192.168.2.2 -d 192.168.2.69 -p tcp --dport 2404 --sport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT


    /bin/echo "done" 
}    
stop() {
    /bin/echo -n "Configure iptables:stop ... " 

    /usr/sbin/iptables -t filter -F
    /usr/sbin/iptables -t nat -F
    /usr/sbin/iptables -t mangle -F
    /usr/sbin/iptables -t filter -X
    /usr/sbin/iptables -t nat -X
    /usr/sbin/iptables -t mangle -X

    /usr/sbin/iptables -t filter -P INPUT ACCEPT
    /usr/sbin/iptables -t filter -P FORWARD ACCEPT
    /usr/sbin/iptables -t filter -P OUTPUT ACCEPT
    /usr/sbin/iptables -t nat -P OUTPUT ACCEPT
    /usr/sbin/iptables -t nat -P PREROUTING ACCEPT
    /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
    /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
    /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT

    /usr/sbin/ip6tables -t filter -F
    /usr/sbin/ip6tables -t mangle -F
    /usr/sbin/ip6tables -t filter -X
    /usr/sbin/ip6tables -t mangle -X

    /usr/sbin/ip6tables -t filter -P INPUT ACCEPT
    /usr/sbin/ip6tables -t filter -P FORWARD ACCEPT
    /usr/sbin/ip6tables -t filter -P OUTPUT ACCEPT

    /bin/echo "done" 
}
restart() {
    stop
    start
}    

case "$1" in
  start)
      start
    ;;
  stop)
      stop
    ;;
  restart|reload)
      restart
    ;;
  *)
    echo $"Usage: $0 {start|stop|restart}" 
    exit 1
esac

exit $?
