#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#flush iptables
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F

#accept already established connections
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow tor traffic
for tor in bind debian-tor _tor-a; do(
iptables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN
ip6tables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN
iptables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT
ip6tables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT
)done
#restrict local communication for hosting users
#allowed tcp ports
for port in 3306 9040 9050 110 143 25 22 53; do(
iptables -t nat -A OUTPUT -d 127.0.0.0/8 -p tcp --dport $port -m owner --gid-owner www-data -j RETURN
ip6tables -t nat -A OUTPUT -d ::1 -p tcp --dport $port -m owner --gid-owner www-data -j RETURN
iptables -A OUTPUT -d 127.0.0.0/8 -p tcp --dport $port -m owner --gid-owner www-data -j ACCEPT
ip6tables -A OUTPUT -d ::1 -p tcp --dport $port -m owner --gid-owner www-data -j ACCEPT
)done
#accept DNS
iptables -t nat -A OUTPUT -d 127.0.0.0/8 -p udp --dport 53 -m owner --gid-owner www-data -j RETURN
ip6tables -t nat -A OUTPUT -d ::1 -p udp --dport 53 -m owner --gid-owner www-data -j RETURN
iptables -A OUTPUT -d 127.0.0.0/8 -p udp --dport 53 -m owner --gid-owner www-data -j ACCEPT
ip6tables -A OUTPUT -d ::1 -p udp --dport 53 -m owner --gid-owner www-data -j ACCEPT
#reject all other local communication
iptables -A OUTPUT -d 127.0.0.0/8 -m owner --gid-owner www-data -j REJECT
ip6tables -A OUTPUT -d ::1 -m owner --gid-owner www-data -j REJECT
#redirect all hosting user TCP traffic through tor
iptables -t nat -A OUTPUT -m owner --gid-owner www-data -p tcp --syn -j REDIRECT --to-ports 9040
ip6tables -t nat -A OUTPUT -m owner --gid-owner www-data -p tcp --syn -j REDIRECT --to-ports 9040
#reject all other hosting user traffic
iptables -A OUTPUT -m owner --gid-owner www-data -j REJECT
ip6tables -A OUTPUT -m owner --gid-owner www-data -j REJECT

#allow local communication
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
#unrestricted access to these IPs
for clearnet in 127.0.0.0/8; do(
iptables -t nat -A OUTPUT -d $clearnet -j RETURN
iptables -A OUTPUT -d $clearnet -j ACCEPT
) done
for clearnet in ::1; do(
ip6tables -t nat -A OUTPUT -d $clearnet -j RETURN
ip6tables -A OUTPUT -d $clearnet -j ACCEPT
) done
#accet IPv6 ICMP packages required for SLAAC
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
#allow querriying ntp servers (must mach /etc/systemd/timesyncd.conf)
for clearnet in 164.68.124.74 185.244.195.159 78.46.53.2 88.99.86.9; do(
iptables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN
iptables -A OUTPUT -p udp --dport 123 -d $clearnet -j ACCEPT
)done
for clearnet in 2a02:c207:3004:9819::1 2a03:4000:27:602:d4cf:50ff:fedb:b65a 2a01:4f8:110:12d5::2 2a01:4f8:c17:b041::1; do(
ip6tables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN
ip6tables -A OUTPUT -p udp --dport 123 -d $clearnet -j ACCEPT
)done
#redirect all outgoing DNS querries to our dns server
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
ip6tables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
#redirect all other TCP traffic through tor
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
ip6tables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
#reject everything else
iptables -A OUTPUT -j REJECT
ip6tables -A OUTPUT -j REJECT

#uncomment to be able to directly connect with your own IP and allow no one else
#for clearnet in YOUR_IP_HERE;do(
#iptables -A INPUT -s $clearnet -j ACCEPT
#)done
#drop everything else (uncomment after adding your own IP above)
#iptables -A INPUT -j DROP
#ip6tables -A INPUT -j DROP

exit 0