#!/bin/sh

# firewall.rules - created by levy.pl on Tue May 15 18:39:04 2001
# this is a -skeleton- ruleset-- adapt as needed.
# This version by gordo AT loopzilla.org
# $Id: iptables.sh,v 1.2 2003/07/07 08:40:14 root Exp $

# chain policies
# set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

# flush tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat

# create DUMP table
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j LOG
/sbin/iptables -A DUMP -p udp -j LOG
/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j DROP
/sbin/iptables -A DUMP -j DROP

# Stateful table
/sbin/iptables -N STATEFUL > /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

# loopback rules
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# drop reserved addresses incoming
# /sbin/iptables -A INPUT -i eth0 -s 0.0.0.0/7 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 1.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 2.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 5.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 23.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 27.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 31.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 67.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 68.0.0.0/6 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 72.0.0.0/5 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 80.0.0.0/4 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 96.0.0.0/3 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 128.0.0.0/16 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 128.66.0.0/16 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 191.255.0.0/16 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 192.0.0.0/16 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 197.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 201.0.0.0/8 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 204.152.64.0/23 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/3 -j DUMP
# /sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/8 -j DUMP

# ICMP types
/sbin/iptables -A INPUT -i eth0 -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp -j ACCEPT

# opened ports
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 113 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 113 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 548 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 548 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT

/sbin/iptables -A INPUT -p tcp -i eth1 --dport 113 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth1 --dport 113 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --dport 548 -s 192.168.200.2 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth1 --dport 548 -s 192.168.200.2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth1 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth1 --dport 80 -j ACCEPT

# Netatalk (atalkd)
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 548 -s 192.168.100.3 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 548 -s 192.168.100.3 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --dport 548 -s 192.168.200.2 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth1 --dport 548 -s 192.168.200.2 -j ACCEPT

# tftp
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 69 -s 192.168.100.1 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 69 -s 192.168.100.1 -j ACCEPT

# Set up NAT for internal network
/sbin/iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE

# FORWARDS
/sbin/iptables -A FORWARD -j ACCEPT -i eth0 -o eth1 -d 192.168.200.0/24
/sbin/iptables -A FORWARD -j ACCEPT -i eth1 -o eth0 -s 192.168.200.0/24

# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL

### ends