#!/bin/bash
### BEGIN INIT INFO
# Provides:          ubuntu_ce_firewall
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: firewall
# Description:       Start, stop or reload firewall.
### END INIT INFO

set -e

case "$1" in
  start)
    echo -e "\nStarting Ubuntu CE firewall .....\n"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A POSTROUTING -t nat -o lo -p tcp --dport 8080 -j SNAT --to 127.0.0.1
iptables -A OUTPUT -t nat ! -d 127.0.0.1 -p tcp --dport 80 -m owner ! --uid-owner root -j REDIRECT --to-ports 8080
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
## Open port for ssh server (22), web server (80), and mail server (25)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 137 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 137 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 138 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 138 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 139 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 445 -m state --state NEW -j ACCEPT
## Uncomment below to open NSF port, edit the port accoring actual setting
#iptables -A INPUT -p tcp --dport 111 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p udp --dport 111 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 2049 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p udp --dport 2049 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 32771 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p udp --dport 32771 -m state --state NEW -j ACCEPT
## Open ports for NSF end

#Accept Ping request
iptables -A INPUT -p icmp -j ACCEPT

# Drop other packets, Logging, and closing firewall.
iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
	;;

  stop)
   echo -e "\nFlushing firewall and setting default policies to ACCEPT\n"
	iptables -F
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	;;

  status)
        iptables -L
	;;

  restart|force-reload)
	$0 stop
	$0 start
;;
  *)
        echo "Usage: /etc/init.d/ubuntu_ce_firewall {start|stop|restart|force-reload|status}"
        exit 1
	;;
esac