#!/bin/sh
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."


# === SECTION A
# -----------   FOR EVERYONE 

# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK
#   The default value below is for "eth0".  This value 
#   could also be "eth1" if you have TWO NICs in your system.
#   You can use the ifconfig command to list the interfaces
#   on your system.  The internal interface will likely have
#   have an address that is in one of the private IP address
#   ranges.
#       Note that this is an interface DESIGNATION - not
#       the IP address of the interface.

# Enter the designation for the Internal Interface's
INTIF="eth1"

# Enter the NETWORK address the Internal Interface is on
INTNET="192.168.0.0/24"

# Enter the IP address of the Internal Interface
INTIP="192.168.0.1/24"

EXTIF="eth0"
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "    External interface: $EXTIF"
echo "    External interface IP address is: $EXTIP"
echo "    Loading firewall server rules..."

UNIVERSE="0.0.0.0/0"

# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT 
iptables -P OUTPUT DROP
iptables -F OUTPUT 
iptables -P FORWARD DROP
iptables -F FORWARD 
iptables -F -t nat

# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
   iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info 
iptables -A drop-and-log-it -j REJECT

echo -e "     - Loading INPUT rulesets"

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are 
#        already flushed and set to a default policy of DROP. 
#

# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
#iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

#  OPTIONAL:  Uncomment the following two commands if plan on running
#             an Apache Web site on the firewall server itself
#
#echo -e "      - Allowing EXTERNAL access to the WWW server"
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

# Catch all rule, all other incoming is denied and logged. 
#iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

iptables -A INPUT -s $INTNET -d $EXTIP -j ACCEPT

echo -e "     - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 
#         already flushed and set to a default policy of DROP. 
#

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
#iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

# Catch all rule, all other outgoing is denied and logged. 
#iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e "     - Loading NAT loopback rulesets"

######################################################################
#iptables -t nat -A PREROUTING -d $EXTIP -p tcp --dport 80 -j DNAT --to 192.168.1.1
#iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 -p tcp --dport 80 -j SNAT --to 192.168.1.100

echo -e "     - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#          Allow all connections OUT and only existing/related IN

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT


### Own forwarding
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT #Server SSH 
#iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.100 -p tcp --dport 80 -j ACCEPT      #Lighttpd jbox
#iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.100 -p tcp --dport 8080 -j ACCEPT      #XBMC
#iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.100 -p udp --dport 9777 -j ACCEPT      #XBMC Event Server
#iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.100 -p tcp --dport 443 -j ACCEPT      #HTTPS
#iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.100 -p tcp --dport 1863 -j ACCEPT      #HTTPS
#iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.100 -p tcp --dport 22 -j ACCEPT      #SSH
#iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.100 -p tcp --dport 23399 -j ACCEPT     #SSH
#iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.0.100 -p tcp --dport 1337:1339 -j ACCEPT     #rTorrent
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 7002 -j ACCEPT #CS 
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 5273 -j ACCEPT #CS 
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p udp -s $UNIVERSE -d $EXTIP --dport 27010 -j ACCEPT #CS 
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p udp -s $UNIVERSE -d $EXTIP --dport 27012 -j ACCEPT #CS 
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p udp -s $UNIVERSE -d $EXTIP --dport 7331 -j ACCEPT #GLFTPD
     
### Own DNAT
#iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 80 -j DNAT --to 192.168.0.100
#iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 8080 -j DNAT --to 192.168.0.100
#iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p udp --dport 9777 -j DNAT --to 192.168.0.100
#iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 443 -j DNAT --to 192.168.0.100
#iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 1863 -j DNAT --to 192.168.0.100
#iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 22 -j DNAT --to 192.168.0.100
#iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 23399 -j DNAT --to 192.168.0.100
#iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 1337:1339 -j DNAT --to 192.168.0.100

# Catch all rule, all other forwarding is denied and logged. 
#iptables -A FORWARD -j drop-and-log-it

# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo -e "    Firewall server rule loading complete\n\n"

Add a code snippet to your website: www.paste.org