englercj/firewall.sh

## firewall.sh
#!/bin/bash

IPT="/sbin/iptables"

### Interfaces ###
PUB_IF="eth0"   # public interface
PRV_IF="eth1"   # private interface
LO_IF="lo"      # loopback
SERVER_IP=$(ifconfig eth0 | grep 'inet addr:' | awk -F'inet addr:' '{ print $2}' | awk '{ print $1}')

########## Allow/block services #################################################
ALLOW_SSH="true"
ALLOW_HTTP="true"
ALLOW_FTP="false"
ALLOW_STEAM="false"
ALLOW_OUTGOING_DNS="true"
ALLOW_OUTGOING_NTP="true"
ALLOW_OUTGOING_SMTP="true"
ALLOW_OUTGOING_ICMP="true"
ALLOW_INCOMING_ICMP="true"

USE_HARDENING_RULESET="true"

########## SSH #################################################
SSH_PORT=22

# This notes every NEW connection to port ${SSH_PORT} and adds it to the recent "list"
# If your IP is on the recent list, and you have ${SSH_LOGIN_ATTEMPT} or more entries on the list in the
# last ${SSH_LOGIN_ATTEMPT_TIMEFRAME} seconds, we drop your request.
SSH_LOGIN_ATTEMPT_PROTECTION="true"
SSH_LOGIN_ATTEMPT=4
SSH_LOGIN_ATTEMPT_TIMEFRAME_SECONDS=90

SSH_ALLOW_ONLY_IP="false"
SSH_ALLOW_ONLY_IP_LIST="122.xx.yy.zz/29"

#### FILES #####
CUSTOM_RULES=/root/.fw/customRules.sh
BLOCKED_IP_TDB=/root/.fw/blocked.ip.txt
SPOOFIP=""
#SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"
#BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v "^#|^$" ${BLOCKED_IP_TDB})

###########################################################
###    You shouldn't need to change below this line     ###
###########################################################

function allowPort() {
	if [[ "$1" == "in" ]]; then
		$IPT -A INPUT -i ${PUB_IF} -p $2 --dport $3 -m state --state NEW,ESTABLISHED -j ACCEPT
		$IPT -A OUTPUT -o ${PUB_IF} -p $2 --sport $3 -m state --state ESTABLISHED -j ACCEPT
	else
		$IPT -A OUTPUT -o ${PUB_IF} -p $2 --dport $3 -m state --state NEW,ESTABLISHED -j ACCEPT
		$IPT -A INPUT -i ${PUB_IF} -p $2 --sport $3 -m state --state ESTABLISHED -j ACCEPT
	fi
}

function customRules() {
    if [ -f ${CUSTOM_RULES} ]; then
        source ${CUSTOM_RULES}
    fi
}

function clearAllIpTablesRules() {
    echo "Clear all firewall rules";
    #Default policy is DROP so first change the INPUT FORWARD and OUTPUT policy before the -F or you will be locked.
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
}

function hardeningRules() {
    if [ "${USE_HARDENING_RULESET}" == "true" ]; then
        echo "Hardening: Drop sync"
        $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

        echo "Hardening: Drop Fragments"
        $IPT -A INPUT -i ${PUB_IF} -f -j DROP

        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

        echo "Hardening: Drop NULL packets"
        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets "
        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP

        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

        echo "Hardening: Drop XMAS"
        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets "
        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

        echo "Hardening: Drop FIN packet scans"
        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan "
        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP

        $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

        echo "Hardening: Log and get rid of broadcast / multicast and invalid"
        $IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast "
        $IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP

        $IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast "
        $IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP

        $IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j LOG --log-prefix " Invalid "
        $IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
    fi
}

function logAndBlockSpoofedIPRules() {
    $IPT -N spooflist
    for ipblock in $SPOOFIP
    do
        $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix " SPOOF List Block "
        $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
    done
    $IPT -I INPUT -j spooflist
    $IPT -I OUTPUT -j spooflist
    $IPT -I FORWARD -j spooflist
}

function sshRules() {
    if [ "${ALLOW_SSH}" == "true" ]; then
        echo "Allow SSH";

        if [ "${SSH_ALLOW_ONLY_IP}" == "true" ]; then
            # Allow ssh only from selected public ips
            for ip in ${SSH_ALLOW_ONLY_IP_LIST}
            do
                $IPT -A INPUT -i ${PUB_IF} -s ${ip} -p tcp -d ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT
                $IPT -A OUTPUT -o ${PUB_IF} -d ${ip} -p tcp -s ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT
            done
        else
            # allow for all
            $IPT -A INPUT -i ${PUB_IF}  -p tcp -d ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT
            $IPT -A OUTPUT -o ${PUB_IF} -p tcp -s ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT

            # allow for all (outbound)
            $IPT -A OUTPUT -o ${PUB_IF} -p tcp -s ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT
            $IPT -A INPUT -i ${PUB_IF}  -p tcp -d ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT
        fi

        if [ "${SSH_LOGIN_ATTEMPT_PROTECTION}" == "true" ]; then
            $IPT -I INPUT -p tcp --dport ${SSH_PORT} -i eth0 -m state --state NEW -m recent --set
            $IPT -I INPUT -p tcp --dport ${SSH_PORT} -i eth0 -m state --state NEW -m recent --update --seconds ${SSH_LOGIN_ATTEMPT_TIMEFRAME_SECONDS} --hitcount ${SSH_LOGIN_ATTEMPT} -j DROP
        fi
    fi
}

function icmpRules() {
    if [ "${ALLOW_INCOMING_ICMP}" == "true" ]; then
        echo "Allow incoming ICMP";
        $IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec  -j ACCEPT
        $IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    fi

    if [ "${ALLOW_OUTGOING_ICMP}" == "true" ]; then
        echo "Allow outgoing ICMP";
        $IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type echo-request -j ACCEPT
        $IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type echo-reply -j ACCEPT
    fi
}

function httpRules() {
    if [ "${ALLOW_HTTP}" == "true" ]; then
        echo "Allow HTTP";
        #allow http(s) inbound connection/response
        $IPT -A INPUT -i ${PUB_IF}  -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -A OUTPUT -o ${PUB_IF} -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

        #allow http(s) outbound connection/response
        $IPT -A OUTPUT -o ${PUB_IF} -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -A INPUT -i ${PUB_IF}  -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
    fi
}

function dnsRules() {
    if [ "${ALLOW_OUTGOING_DNS}" == "true" ]; then
        echo "Allow outgoing DNS";
        allowPort out udp 53
    fi
}

function ntpRules() {
    if [ "${ALLOW_OUTGOING_NTP}" == "true" ]; then
        echo "Allow outgoing NTP";
        allowPort out udp 123
    fi
}

function smtpRules() {
    if [ "${ALLOW_OUTGOING_SMTP}" == "true" ]; then
        echo "Allow outgoing SMTP";
        allowPort out tcp 25
    fi
}

function ftpRules() {
    if [ "${ALLOW_FTP}" == "true" ]; then
        echo "Allow FTP";
        $IPT -A INPUT -p tcp --dport ftp -i ${PUB_IF} -j ACCEPT
        $IPT -A INPUT -p udp --dport ftp -i ${PUB_IF} -j ACCEPT

        $IPT -A INPUT -p tcp --dport ftp-data -i ${PUB_IF} -j ACCEPT
        $IPT -A INPUT -p udp --dport ftp-data -i ${PUB_IF} -j ACCEPT
    fi
}

function steamRules() {
    if [ "${ALLOW_STEAM}" == "true" ]; then
        echo "Allow Steam";
        allowPort in udp "27000:27030"
        allowPort out udp "27000:27030"

        allowPort in tcp "27014:27050"
        allowPort out tcp "27014:27050"

        allowPort in udp "4379:4380"
        allowPort out udp "4379:4380"
    fi
}

function dropAndCloseEverythingRules() {
    echo "Drop And Close Everything";
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP
}

function dropAndLogEverythingElseRules() {
    $IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " DEFAULT DROP "
    $IPT -A INPUT -j DROP
}

function unlimitedLoopbackRules() {
    $IPT -A INPUT -i ${LO_IF} -j ACCEPT
    $IPT -A OUTPUT -o ${LO_IF} -j ACCEPT
}

function unlimitedPrivateRules() {
    $IPT -A INPUT -i ${PRV_IF} -j ACCEPT
    $IPT -A OUTPUT -o ${PRV_IF} -j ACCEPT
}

function createIptablesRules() {
    echo "Setting $(hostname) Firewall...";
    dropAndCloseEverythingRules
    unlimitedLoopbackRules
    unlimitedPrivateRules
    hardeningRules
    logAndBlockSpoofedIPRules
    sshRules
    httpRules
    icmpRules
    dnsRules
    ntpRules
    smtpRules
    ftpRules
    steamRules
    customRules
    dropAndLogEverythingElseRules
}

echo "  Choose one of the following options:"
echo
echo "[N]ew firewall rules"
echo "[C]lear all firewall rules"
echo "[T]est firewall rules"
echo "[S]ave firewall rules to /etc/network/iptables"
echo "[E]xit"
echo

read choice

case "$choice" in
    "N" | "n" )
        clearAllIpTablesRules
        createIptablesRules
    ;;
    "C" | "c" )
        clearAllIpTablesRules
    ;;
    "T" | "t" )
        clearAllIpTablesRules
        createIptablesRules
        iptables-apply
    ;;
    "S" | "s" )
        clearAllIpTablesRules
        createIptablesRules
        iptables-save > /etc/network/iptables
    ;;
    * )
        exit 0
    ;;
esac
	#!/bin/bash

	IPT="/sbin/iptables"

	### Interfaces ###
	PUB_IF="eth0" # public interface
	PRV_IF="eth1" # private interface
	LO_IF="lo" # loopback
	SERVER_IP=$(ifconfig eth0 \| grep 'inet addr:' \| awk -F'inet addr:' '{ print $2}' \| awk '{ print $1}')

	########## Allow/block services #################################################
	ALLOW_SSH="true"
	ALLOW_HTTP="true"
	ALLOW_FTP="false"
	ALLOW_STEAM="false"
	ALLOW_OUTGOING_DNS="true"
	ALLOW_OUTGOING_NTP="true"
	ALLOW_OUTGOING_SMTP="true"
	ALLOW_OUTGOING_ICMP="true"
	ALLOW_INCOMING_ICMP="true"

	USE_HARDENING_RULESET="true"

	########## SSH #################################################
	SSH_PORT=22

	# This notes every NEW connection to port ${SSH_PORT} and adds it to the recent "list"
	# If your IP is on the recent list, and you have ${SSH_LOGIN_ATTEMPT} or more entries on the list in the
	# last ${SSH_LOGIN_ATTEMPT_TIMEFRAME} seconds, we drop your request.
	SSH_LOGIN_ATTEMPT_PROTECTION="true"
	SSH_LOGIN_ATTEMPT=4
	SSH_LOGIN_ATTEMPT_TIMEFRAME_SECONDS=90

	SSH_ALLOW_ONLY_IP="false"
	SSH_ALLOW_ONLY_IP_LIST="122.xx.yy.zz/29"

	#### FILES #####
	CUSTOM_RULES=/root/.fw/customRules.sh
	BLOCKED_IP_TDB=/root/.fw/blocked.ip.txt
	SPOOFIP=""
	#SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"
	#BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v "^#\|^$" ${BLOCKED_IP_TDB})

	###########################################################
	### You shouldn't need to change below this line ###
	###########################################################

	function allowPort() {
	if [[ "$1" == "in" ]]; then
	$IPT -A INPUT -i ${PUB_IF} -p $2 --dport $3 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o ${PUB_IF} -p $2 --sport $3 -m state --state ESTABLISHED -j ACCEPT
	else
	$IPT -A OUTPUT -o ${PUB_IF} -p $2 --dport $3 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -i ${PUB_IF} -p $2 --sport $3 -m state --state ESTABLISHED -j ACCEPT
	fi
	}

	function customRules() {
	if [ -f ${CUSTOM_RULES} ]; then
	source ${CUSTOM_RULES}
	fi
	}

	function clearAllIpTablesRules() {
	echo "Clear all firewall rules";
	#Default policy is DROP so first change the INPUT FORWARD and OUTPUT policy before the -F or you will be locked.
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -F
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X
	}

	function hardeningRules() {
	if [ "${USE_HARDENING_RULESET}" == "true" ]; then
	echo "Hardening: Drop sync"
	$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

	echo "Hardening: Drop Fragments"
	$IPT -A INPUT -i ${PUB_IF} -f -j DROP

	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

	echo "Hardening: Drop NULL packets"
	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets "
	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP

	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

	echo "Hardening: Drop XMAS"
	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets "
	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

	echo "Hardening: Drop FIN packet scans"
	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan "
	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP

	$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

	echo "Hardening: Log and get rid of broadcast / multicast and invalid"
	$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast "
	$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP

	$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast "
	$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP

	$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j LOG --log-prefix " Invalid "
	$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
	fi
	}

	function logAndBlockSpoofedIPRules() {
	$IPT -N spooflist
	for ipblock in $SPOOFIP
	do
	$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix " SPOOF List Block "
	$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
	done
	$IPT -I INPUT -j spooflist
	$IPT -I OUTPUT -j spooflist
	$IPT -I FORWARD -j spooflist
	}

	function sshRules() {
	if [ "${ALLOW_SSH}" == "true" ]; then
	echo "Allow SSH";

	if [ "${SSH_ALLOW_ONLY_IP}" == "true" ]; then
	# Allow ssh only from selected public ips
	for ip in ${SSH_ALLOW_ONLY_IP_LIST}
	do
	$IPT -A INPUT -i ${PUB_IF} -s ${ip} -p tcp -d ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT
	$IPT -A OUTPUT -o ${PUB_IF} -d ${ip} -p tcp -s ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT
	done
	else
	# allow for all
	$IPT -A INPUT -i ${PUB_IF} -p tcp -d ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT
	$IPT -A OUTPUT -o ${PUB_IF} -p tcp -s ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT

	# allow for all (outbound)
	$IPT -A OUTPUT -o ${PUB_IF} -p tcp -s ${SERVER_IP} --dport ${SSH_PORT} -j ACCEPT
	$IPT -A INPUT -i ${PUB_IF} -p tcp -d ${SERVER_IP} --sport ${SSH_PORT} -j ACCEPT
	fi

	if [ "${SSH_LOGIN_ATTEMPT_PROTECTION}" == "true" ]; then
	$IPT -I INPUT -p tcp --dport ${SSH_PORT} -i eth0 -m state --state NEW -m recent --set
	$IPT -I INPUT -p tcp --dport ${SSH_PORT} -i eth0 -m state --state NEW -m recent --update --seconds ${SSH_LOGIN_ATTEMPT_TIMEFRAME_SECONDS} --hitcount ${SSH_LOGIN_ATTEMPT} -j DROP
	fi
	fi
	}

	function icmpRules() {
	if [ "${ALLOW_INCOMING_ICMP}" == "true" ]; then
	echo "Allow incoming ICMP";
	$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec -j ACCEPT
	$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
	fi

	if [ "${ALLOW_OUTGOING_ICMP}" == "true" ]; then
	echo "Allow outgoing ICMP";
	$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type echo-request -j ACCEPT
	$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type echo-reply -j ACCEPT
	fi
	}

	function httpRules() {
	if [ "${ALLOW_HTTP}" == "true" ]; then
	echo "Allow HTTP";
	#allow http(s) inbound connection/response
	$IPT -A INPUT -i ${PUB_IF} -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o ${PUB_IF} -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

	#allow http(s) outbound connection/response
	$IPT -A OUTPUT -o ${PUB_IF} -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A INPUT -i ${PUB_IF} -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
	fi
	}

	function dnsRules() {
	if [ "${ALLOW_OUTGOING_DNS}" == "true" ]; then
	echo "Allow outgoing DNS";
	allowPort out udp 53
	fi
	}

	function ntpRules() {
	if [ "${ALLOW_OUTGOING_NTP}" == "true" ]; then
	echo "Allow outgoing NTP";
	allowPort out udp 123
	fi
	}

	function smtpRules() {
	if [ "${ALLOW_OUTGOING_SMTP}" == "true" ]; then
	echo "Allow outgoing SMTP";
	allowPort out tcp 25
	fi
	}

	function ftpRules() {
	if [ "${ALLOW_FTP}" == "true" ]; then
	echo "Allow FTP";
	$IPT -A INPUT -p tcp --dport ftp -i ${PUB_IF} -j ACCEPT
	$IPT -A INPUT -p udp --dport ftp -i ${PUB_IF} -j ACCEPT

	$IPT -A INPUT -p tcp --dport ftp-data -i ${PUB_IF} -j ACCEPT
	$IPT -A INPUT -p udp --dport ftp-data -i ${PUB_IF} -j ACCEPT
	fi
	}

	function steamRules() {
	if [ "${ALLOW_STEAM}" == "true" ]; then
	echo "Allow Steam";
	allowPort in udp "27000:27030"
	allowPort out udp "27000:27030"

	allowPort in tcp "27014:27050"
	allowPort out tcp "27014:27050"

	allowPort in udp "4379:4380"
	allowPort out udp "4379:4380"
	fi
	}

	function dropAndCloseEverythingRules() {
	echo "Drop And Close Everything";
	$IPT -P INPUT DROP
	$IPT -P OUTPUT DROP
	$IPT -P FORWARD DROP
	}

	function dropAndLogEverythingElseRules() {
	$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " DEFAULT DROP "
	$IPT -A INPUT -j DROP
	}

	function unlimitedLoopbackRules() {
	$IPT -A INPUT -i ${LO_IF} -j ACCEPT
	$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT
	}

	function unlimitedPrivateRules() {
	$IPT -A INPUT -i ${PRV_IF} -j ACCEPT
	$IPT -A OUTPUT -o ${PRV_IF} -j ACCEPT
	}

	function createIptablesRules() {
	echo "Setting $(hostname) Firewall...";
	dropAndCloseEverythingRules
	unlimitedLoopbackRules
	unlimitedPrivateRules
	hardeningRules
	logAndBlockSpoofedIPRules
	sshRules
	httpRules
	icmpRules
	dnsRules
	ntpRules
	smtpRules
	ftpRules
	steamRules
	customRules
	dropAndLogEverythingElseRules
	}

	echo " Choose one of the following options:"
	echo
	echo "[N]ew firewall rules"
	echo "[C]lear all firewall rules"
	echo "[T]est firewall rules"
	echo "[S]ave firewall rules to /etc/network/iptables"
	echo "[E]xit"
	echo

	read choice

	case "$choice" in
	"N" \| "n" )
	clearAllIpTablesRules
	createIptablesRules
	;;
	"C" \| "c" )
	clearAllIpTablesRules
	;;
	"T" \| "t" )
	clearAllIpTablesRules
	createIptablesRules
	iptables-apply
	;;
	"S" \| "s" )
	clearAllIpTablesRules
	createIptablesRules
	iptables-save > /etc/network/iptables
	;;
	* )
	exit 0
	;;
	esac