#!/bin/bash

echo "setting client network..."
source ipt-conf.sh
source ipt-firewall.sh
ipt_clear
ipt_tables

# Unlimited on loopback
$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

####### Input Chain ######
$IPT -A INPUT -j blocker

$IPT -A INPUT -i ${PUB_IF} -j cli_dns_in
$IPT -A INPUT -i ${PUB_IF} -j cli_http_in
$IPT -A INPUT -i ${PUB_IF} -j cli_https_in
$IPT -A INPUT -i ${PUB_IF} -j cli_git_in
$IPT -A INPUT -i ${PUB_IF} -j cli_ssh_in
$IPT -A INPUT -i ${PUB_IF} -j srv_icmp
$IPT -A INPUT -i ${PUB_IF} -j srv_ntp
$IPT -A INPUT -i ${PUB_IF} -j cli_pops_in
$IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in
$IPT -A INPUT -i ${PUB_IF} -j cli_irc_in
$IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in
$IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in
$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -j DROP

$IPT -A INPUT -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp --dport 1024:65535 --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow all established and related
$IPT -A INPUT -p tcp --dport 1024:65535 --sport 1:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp --dport 1024:65535 --sport 1:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT

####### Output Chain ######
$IPT -A OUTPUT -j blocker

$IPT -A OUTPUT -o ${PUB_IF} -j cli_dns_out
$IPT -A OUTPUT -o ${PUB_IF} -j cli_https_out
$IPT -A OUTPUT -o ${PUB_IF} -j cli_ssh_out
$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out
$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out
$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp
$IPT -A OUTPUT -o ${PUB_IF} -j srv_ntp
$IPT -A OUTPUT -o ${PUB_IF} -j cli_pops_out
$IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out
$IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out
$IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out
$IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out

$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 1024:65535 -j ACCEPT

# allow all out (make nmap and others happy)
$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 1:65535 -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1:65535 -j ACCEPT
$IPT -A OUTPUT -p icmp -j ACCEPT

## log everything else and drop
ipt_log
iptables-save > /etc/iptables/client.v4