#/bin/bash

# Create the AWS iptables chain if it doesn't exist
iptables -n --list AWS >/dev/null 2>&1 \
    || (iptables -N AWS && iptables -I INPUT 1 -j AWS)

# Flush the existing AWS iptables chain
iptables -F AWS

RANGES=$(curl -s -L https://ip-ranges.amazonaws.com/ip-ranges.json \
    | perl -ne 'print "$1\n" while /\"ip_prefix\":\s\"((\d|\.)+\/\d+)\"/gs' )

# Loop through the ranges, adding each to iptables
while read -r line; do
    iptables -A AWS -s "$line" -j REJECT
done <<< "$RANGES"

# Apply extra firewall rules to node

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
iptables -A OUTPUT -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
iptables -A INPUT -p icmp -j ACCEPT

# Allow Bitcoin connections
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 8333 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

#  Log iptables denied calls
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP