#!/bin/bash

### BEGIN INIT INFO
# Provides:          dtc-xen-firewall
# Required-Start:    $all
# Required-Stop:
# Should-Start:      $local_fs
# Should-Stop:       $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: A small firewall script for your dom0
# Description:       If running in a production environment, you might want
#                    to have a basic firewall running on your dom0 to avoid
#                    having DoS attack. This is not the state-of-the-art, but
#                    just another attempt to make things a bit more smooth.
### END INIT INFO

IPTABLES=/sbin/iptables


flush-input-chain () {
	${IPTABLES} -F dtc-xen-input
}

create-dtc-xen-forward-chain () {
	# Create the chain (if it doesn't exists, then it should be inserted in the INPUT or FORWARD chain)
	if ${IPTABLES} --new-chain dtc-xen-in ; then
		${IPTABLES} -I INPUT -j dtc-xen-in
	fi
	if ${IPTABLES} --new-chain dtc-xen-fw ; then
		${IPTABLES} -I FORWARD -j dtc-xen-fw
	fi
	# If the chains already existed, flush them
	${IPTABLES} -F dtc-xen-fw
	${IPTABLES} -F dtc-xen-in
}

accept-localhost-traffic () {
	${IPTABLES} -A dtc-xen-in -i lo -j ACCEPT
}

port25-reject () {
	${IPTABLES} -A dtc-xen-in -p tcp --dport 25 -j REJECT
}

limit-ssh-login-rate () {
	# Anti DoS SSH : deny ssh for 300 seconds after 4 attempts
	# This can't be too high because of the use of scp
	${IPTABLES} -A dtc-xen-in -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set 
	${IPTABLES} -A dtc-xen-in -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j REJECT
}

ping-flood-protect () {
	# Limit for dom0
	${IPTABLES} -A dtc-xen-in -p icmp --icmp-type echo-request -m limit --limit 5/s -j ACCEPT
	${IPTABLES} -A dtc-xen-in -p icmp --icmp-type echo-request -j DROP
	# There is no reason why a 20 VPS would be ping more than 50 times per seconds
	${IPTABLES} -A dtc-xen-fw -p icmp --icmp-type echo-request -m limit --limit 50/s -j ACCEPT
	${IPTABLES} -A dtc-xen-fw -p icmp --icmp-type echo-request -j DROP
}
syn-flood-protect () {
	# For dom0
	${IPTABLES} -A dtc-xen-in -p tcp --syn -m limit --limit 10/s -j ACCEPT
	${IPTABLES} -A dtc-xen-in -p tcp --syn -j DROP
	# For VPS
	${IPTABLES} -A dtc-xen-fw -p tcp --syn -m limit --limit 100/s -j ACCEPT
	${IPTABLES} -A dtc-xen-fw -p tcp --syn -j DROP
}

port-scanner-limitation () {
	#Furtive port scanner a bit more annoying...
	${IPTABLES} -A dtc-xen-in -p tcp -i eth0 --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 5/s -j ACCEPT
	${IPTABLES} -A dtc-xen-in -p tcp -i eth0 --tcp-flags SYN,ACK,FIN,RST RST -j DROP
}

case "${1}" in
	start)
		# flush-input-chain
		create-dtc-xen-forward-chain
		accept-localhost-traffic
		port25-reject
		limit-ssh-login-rate
		ping-flood-protect
		syn-flood-protect
		port-scanner-limitation
        ;;

	stop)
		while iptables -D dtc-xen-fw 1 ; do echo -n "" ; done
		while iptables -D dtc-xen-in 1 ; do echo -n "" ; done
	;;

	restart|reload|force-reload)
		${0} stop
		sleep 1
		${0} start
	;;

	*)
		echo "Usage: ${0} "'{start|stop|restart|reload}'
		exit 1

esac

exit 0
