#!/bin/sh

echo "Setting up IPtables rules"

IPTABLES=/u/system/bin/iptables # where iptables binary lies

# Setting up Forwarding 
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting up IP spoofing protection 
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] 
then 
        for f in /proc/sys/net/ipv4/conf/*/rp_filter 
        do 
                echo 1 > $f 
        done 
fi

# Rules objects 
firewall_adsl="10.0.0.1"        # My Firewall external IP
dslam="10.0.0.138"              # IP of my ADSL Modem
localhost="127.0.0.1"           # no comments
firewall_intranet="192.168.0.254"  # my LAN gateway. My LAN uses IANA private network (RFC1918)
intranet="192.168.0.0/24"       # My subnet & bits.
any="0.0.0.0/0"         # Internet

# Devices
dev_intra="eth1"                # device for Intranet
dev_inter="eth0"                # device for ADSL

# High ports 
hports="1024:"

# Flush all 
$IPTABLES -F 
$IPTABLES -X

# Deny all by default 
$IPTABLES -P INPUT DROP 
$IPTABLES -P OUTPUT DROP 
$IPTABLES -P FORWARD DROP

KEEPSTATE=" -m state --state ESTABLISHED,RELATED"

# ADSL Tunnel rules 
$IPTABLES -A INPUT -j ACCEPT -i $dev_inter -s $dslam -d $firewall_adsl 
$IPTABLES -A OUTPUT -j ACCEPT -o $dev_inter -d $dslam -s $firewall_adsl 

# accept anything on localhost device 
$IPTABLES -A INPUT -j ACCEPT -p ALL -i lo 
$IPTABLES -A OUTPUT -j ACCEPT -p ALL -o lo

# accept anything IntraNet if from IntraNet device 
$IPTABLES -A INPUT -j ACCEPT -p ALL -i $dev_intra 
$IPTABLES -A OUTPUT -j ACCEPT -p ALL -o $dev_intra

# Redirectly transparently to Squid WWW requests (you have to setup a
proxy (Squid for example) listeting on this IP & port)
$IPTABLES -t nat -A PREROUTING -i $dev_intra -p TCP -j DNAT \ 
        --dport 80 --to-destination $firewall_intranet:8080

# Activate Forwarding 
$IPTABLES -A FORWARD -j ACCEPT -i $dev_intra -o ppp0 -s $intranet 
$IPTABLES -A FORWARD -j ACCEPT -o $dev_intra -i ppp0 -s $any

# and masquerade IntraNet to Internet with Firewall Internet IP.
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# activate established mode on all protocols  (statefull inspection)
$IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p TCP $KEEPSTATE 
$IPTABLES -A INPUT -j ACCEPT -i ppp0 -p TCP $KEEPSTATE 
$IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p UDP $KEEPSTATE 
$IPTABLES -A INPUT -j ACCEPT -i ppp0 -p UDP $KEEPSTATE 
$IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p ICMP $KEEPSTATE 
$IPTABLES -A INPUT -j ACCEPT -i ppp0 -p ICMP $KEEPSTATE

# Accept ports back from ppp, if flow return, all protocols 
$IPTABLES -A OUTPUT -j ACCEPT -p ALL -o ppp0 

# Special for service providers
        # If you want to provide FTP server to Internet
        $IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 20 
        $IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 21

        # or a HTTP server
        $IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 80

# Drop broadcasts pollution (not logged) 
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 10.0.0.255 
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 10.0.0.255 
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 10.0.0.255 
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 10.0.0.255 
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 0.0.0.0 
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 0.0.0.0 
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 0.0.0.0 
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 0.0.0.0 
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 255.255.255.255 
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 255.255.255.255 
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 255.255.255.255 
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 255.255.255.255

# Reject and log others. Log into log level emergency, with line prefixes with 'FW'.
$IPTABLES -N log_and_drop 
$IPTABLES -A INPUT -j log_and_drop 
$IPTABLES -A INPUT -j LOG --log-level emerg --log-prefix='FW ' 
$IPTABLES -A INPUT -j REJECT