#!/bin/sh
#
# mitchs iptables pihole config
# -------------------------------------------

# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
# variables
# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUBNET=192.168.100
PIHOLE=$SUBNET.200
# =/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=

# flush
iptables -F

# deny all default
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# dns to/from pihole (self)
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport 53 -m state --state NEW
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport 53 -m state --state NEW
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p udp --dport 53 -m state --state NEW
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p udp --sport 53 -m state --state NEW

iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport 53 -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p udp --dport 53 -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p udp --sport 53 -m state --state ESTABLISHED,RELATED

# -----------------------------------------------------------
# dns to/from 9.9.9.9
iptables -A OUTPUT -j ACCEPT -d 9.9.9.9/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -d 9.9.9.9/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 9.9.9.9/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 9.9.9.9/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
# and quad9s alt
iptables -A OUTPUT -j ACCEPT -d 149.112.112.112/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -d 149.112.112.112/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 149.112.112.112/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 149.112.112.112/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
# dns.watch
iptables -A OUTPUT -j ACCEPT -d 84.200.68.80/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -d 84.200.68.80/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 84.200.68.80/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 84.200.68.80/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
# dns.watch alt
iptables -A OUTPUT -j ACCEPT -d 84.200.70.40/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -d 84.200.70.40/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 84.200.70.40/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 84.200.70.40/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
# -----------------------------------------------------------

# permit local ssh
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED

# permit outgoing http,https,ftp as well for updates and things
iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -j ACCEPT -p tcp --dport 443 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -j ACCEPT -p tcp --dport 21 -m state --state NEW,ESTABLISHED

# allow pihole ftl
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport 80 -m state --state NEW
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 80 -m state --state ESTABLISHED

# allow telnet ftl api (port 4711)
# ----- important: but only originating from our localhost outbound; not in
iptables -A INPUT -s 127.0.0.1/24 -j ACCEPT -p tcp --dport 4711 -m state --state NEW
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 4711 -m state --state ESTABLISHED

# permit loopback
iptables -A OUTPUT -j ACCEPT -o lo

# permit established
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

# save
if command -v systemctl >/dev/null 2>&1 ; then
	if [ -f /etc/sysconfig/iptables ] ; then
		iptables-save -f /etc/sysconfig/iptables
	elif [ -f /etc/iptables/iptables.rules ] ; then
		iptables-save -f /etc/iptables/iptables.rules
	fi
elif command -v rc-service >/dev/null 2>&1 ; then
	/etc/init.d/iptables save
fi