#!/bin/bash

echo
echo
echo "#########################################################"
echo "###                                                    ##"
echo "### If firewall and BACKUP Firewall rulset FAILED      ##"
echo "### Script wil try to block ewerything                 ##"
echo "### except conetions to SSH  (port 22 tcp)             ##"
echo "### and ICMP echo request                              ##"
echo "###                                                    ##"
echo "#########################################################"
echo
echo

set -x 


/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle

/sbin/ip6tables -F
/sbin/ip6tables -F -t mangle

/sbin/iptables -X
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle

/sbin/ip6tables -X
/sbin/ip6tables -X -t mangle

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P FORWARD DROP
/sbin/ip6tables -P OUTPUT ACCEPT

# Interfejs lokalny ma specjalne prawa
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -o lo -j ACCEPT
/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
/sbin/ip6tables -A FORWARD -o lo -j ACCEPT

# established,related
/sbin/iptables -A INPUT   -p all -j ACCEPT -m state --state ESTABLISHED,RELATED
/sbin/iptables -A FORWARD -p all -j ACCEPT -m state --state ESTABLISHED,RELATED
/sbin/iptables -A OUTPUT -p all -j ACCEPT -m state --state ESTABLISHED,RELATED

/sbin/ip6tables -A INPUT   -p all -j ACCEPT -m state --state ESTABLISHED,RELATED
/sbin/ip6tables -A FORWARD -p all -j ACCEPT -m state --state ESTABLISHED,RELATED
/sbin/ip6tables -A OUTPUT -p all -j ACCEPT -m state --state ESTABLISHED,RELATED


/sbin/iptables -A INPUT  -p tcp --dport 22 -j ACCEPT


# minium icmp for neighbour-discovery
/sbin/ip6tables -A INPUT -p icmpv6 -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 -m icmp6 --icmpv6-type neighbour-solicitation  -m hl --hl-eq 255 -j ACCEPT
/sbin/ip6tables -A INPUT  -p tcp --dport 22 -j ACCEPT -m state --state NEW

# Pings
/sbin/iptables -A INPUT  -p icmp --icmp-type echo-request -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6  -m icmp6 --icmpv6-type echo-request    -j ACCEPT


# All aotgoing connections
/sbin/iptables -A OUTPUT -p all -j ACCEPT -m state --state NEW
/sbin/ip6tables -A OUTPUT -p all -j ACCEPT -m state --state NEW


