#!/bin/sh
#
# Starts firewall
#
# Flush existing rules
iptables -F
iptables -X
#
# Accept all on localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept ssh, scp
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# accept DNS
#
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
#
# Enable connection tracking (required for ssh and ftp)
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Explicitly enable ICMP ping incoming and outgoing
#
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#
# Explicitly disallow R-Engine, R-Ui
#
iptables -A INPUT -p tcp --dport 25000 -j DROP
iptables -A INPUT -p tcp --dport 25001 -j DROP
#
# Enable FTP client
#
iptables -A INPUT -p tcp --sport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 1025:65535 -j ACCEPT
#
# Handle VNC, Modbus and other dynamic rules
#
_input=/etc/network/firewall.rules
if test -f "$_input"
	then
	while IFS= read -r str
	  do
	  if [ ${str:0:1} != "#" ];
	    then
	    iptables $str
	  fi
	  done <"$_input"
fi
#
# Everything not permitted is denied
#
iptables -A INPUT -j DROP
#iptables -A INPUT -j ACCEPT
iptables-save > /etc/iptables.conf
echo "" > /etc/network/firewall-is-on
