#!/bin/bash
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
### flush existing rules and set chain policy setting to DROP
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
### load connecting-tracking modules
$MODPROBE ip_conntrack
$MODPROBE iptables_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
##### INPUT chain #####
echo "[+] Setting up INPUT chain..."
### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### anti-spoofing rules
#$IPTABLES -A INPUT -i eth1 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
##### OUTPUT chain #####
echo "[+] Setting up OUTPUT chain..."
### state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connectings out
$IPTABLES -A OUTPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 25 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 43 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 4321 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
##### FORWARD chain #####
echo "[+] Setting up FORWARD chain..."
### state tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### anti-spoofing rules
$IPTABLES -A FORWARD -i eth0 -j LOG --log-prefix "SPOOFED PKT"
$IPTABLES -A FORWARD -i eth0 -s ! 192.168.2.0 -j DROP
### ACCEPT rules
$IPTABLES -A FORWARD -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 25 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 43 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 4321 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
### default log rule
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
##### NAT rules #####
echo "[+] Setting up NAT rules..."
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.1.3:80
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.1.3:443
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to 192.168.1.4:53
$IPTABLES -t nat -A POSTROUTING -s 192.168.2.0 -j MASQUERADE
##### forwarding #####
echo "[+] Enabling IP forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward