#!/bin/bash

# PORTLIST can be passed as an argument
if [ "x$1" == "x" ]; then PORTLIST=80,443 ; else PORTLIST=$1 ; fi

# Find out which interface looks to the Internet and what is IP address
# on that interface (tested on real servers and OpenVZ VPSes):
DEF=`ip route | grep default`
FOUND=0
for i in $DEF; do
  if [ $FOUND -eq 1 ]; then GWINT=$i; break; fi;
  if [ "$i" == "dev" ]; then FOUND=1; fi ;
done
EXTIP=`ip addr list dev $GWINT | grep "inet " | grep "scope global" | head -1 | awk '{ print $2 }' | cut -d'/' -f 1`

echo "Gateway interface (autodetected) is $GWINT"
echo "External IP (looking to the Internet, autodetected) is $EXTIP"

# Actually configure the firewall:
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -A INPUT -i $GWINT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -d $EXTIP -i $GWINT -p tcp -m multiport --dports $PORTLIST -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d $EXTIP -i $GWINT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -d $EXTIP -i $GWINT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD