#!/bin/sh

EXTERNALDEVICE="eth0"
EXTERNALIP="192.168.100.107"
INTERNALDEVICE="eth1"
INTERNALIP="10.1.1.1"
INTERNALBROADCAST="10.1.1.255"
ANYWHERE="0/0"
LOCALHOST="127.0.0.0/8"
USER_IP="10.0.0.0/8"

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -F -t nat

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#############################################################################
# # # # # input rules - for local services on the firewall computer # # # # #
#############################################################################

######### allow local loop ################
iptables -A INPUT -j ACCEPT -s $LOCALHOST -d $LOCALHOST

######### external interface ##############

iptables -A INPUT -j ACCEPT -p icmp -m limit --limit 2/s

#block external requests from local addresses (ip-spoofing?)
iptables -A INPUT -j LOG -i $EXTERNALDEVICE -s $USER_IP -d $ANYWHERE
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $USER_IP -d $ANYWHERE

#accept mail
iptables -A INPUT -j ACCEPT -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 25

#drop all other external requests to potential service ports
#without log
#ident
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 113
#ntp
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $ANYWHERE -p tcp --dport 123
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $ANYWHERE -p udp --dport 123
#MS network (SMB)
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 137:139
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p udp --dport 137:139
#log all other rule violations
iptables -A INPUT -j LOG -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 1:1023
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 1:1023
iptables -A INPUT -j LOG -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p udp --dport 1:1023
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p udp --dport 1:1023
iptables -A INPUT -j LOG -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 6000:6009
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p tcp --dport 6000:6009
iptables -A INPUT -j LOG -i $EXTERNALDEVICE -s $ANYWHERE -d ! $EXTERNALIP
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d ! $EXTERNALIP

iptables -A INPUT -j LOG -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p icmp
iptables -A INPUT -j DROP -i $EXTERNALDEVICE -s $ANYWHERE -d $EXTERNALIP -p icmp


######### internal interfaces ##############

#allow internal requests from local addresses
iptables -A INPUT -j ACCEPT -i $INTERNALDEVICE -s $USER_IP -d $INTERNALIP
iptables -A INPUT -j ACCEPT -i $INTERNALDEVICE -s $USER_IP -d $EXTERNALIP
iptables -A INPUT -j ACCEPT -i $INTERNALDEVICE -s $USER_IP -d $INTERNALBROADCAST

#drop all other requests
iptables -A INPUT -j LOG -i $INTERNALDEVICE -s $ANYWHERE -d $ANYWHERE
iptables -A INPUT -j DROP -i $INTERNALDEVICE -s $ANYWHERE -d $ANYWHERE


######################################
# # # # # forwarding rules - # # # # #
######################################

#allow localhosts
iptables -A FORWARD -j ACCEPT -s $LOCALHOST -d $LOCALHOST
iptables -A FORWARD -j ACCEPT -s $INTERNALIP -d $ANYWHERE

#accept (forwarded) ssh
iptables -A FORWARD -j ACCEPT -s $ANYWHERE -d 10.1.1.2 -p tcp --dport 22

#drop SMB without logging
iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p tcp --dport 137:139
iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p udp --dport 137:139

#restrict mail access
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 25
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 109:110
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 143
#restrict web access
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 70
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 80
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 443
#restrict ssh + telnet
iptables -A FORWARD -j REJECT -s $ANYWHERE -d $ANYWHERE -p tcp --dport 22:23

#allow requests from my clients
iptables -A FORWARD -j ACCEPT -i $INTERNALDEVICE -o $EXTERNALDEVICE -s $USER_IP -d $ANYWHERE

#drop anything else but answers
iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p tcp --dport 113
iptables -A FORWARD -j LOG -s $ANYWHERE -d $ANYWHERE -p tcp --dport 1:1023
iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p tcp --dport 1:1023
iptables -A FORWARD -j LOG -s $ANYWHERE -d $ANYWHERE -p udp --dport 1:1023
iptables -A FORWARD -j DROP -s $ANYWHERE -d $ANYWHERE -p udp --dport 1:1023
#iptables -A FORWARD -j LOG -p icmp -s $ANYWHERE -d $ANYWHERE
#iptables -A FORWARD -j DROP -p icmp -s $ANYWHERE -d $ANYWHERE


#######################################################
# # # # # NAT translating internal requests - # # # # #
#######################################################

iptables -A POSTROUTING -t nat -o $EXTERNALDEVICE -j SNAT -s 10.1.1.2 --to 192.168.100.207

iptables -A POSTROUTING -t nat -o $EXTERNALDEVICE -j MASQUERADE
iptables -A PREROUTING -t nat -p tcp --dport 22 -j DNAT --to 10.1.1.2:22

