#!/bin/sh
#
#
IPT="/usr/local/sbin/iptables"
SSH_HOSTS_ALLOWED="11.11.11.11/16 22.22.22.22/24 33.33.33.0/16 44.44.44.44/24 55.55.55.55/16"
case "$1" in
start)
#/sbin/sysctl -w net.ipv4.ip_forward=1
# flushing all rules
${IPT} -F
${IPT} -F -t nat
${IPT} -X
# setting default filter policy
${IPT} -P INPUT DROP
${IPT} -P OUTPUT ACCEPT
${IPT} -P FORWARD DROP
# allow unlimited traffic on loopback
${IPT} -A INPUT -i lo -j ACCEPT
# allow local subnet 192.168.0.x connections (all = tcp & udp)
${IPT} -A INPUT -i eth0 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPT} -A INPUT -i eth1 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# forward port 443 to 22 - so we can connect from a remote IP going out on port 443
# if they block outgoing traffic on 22
${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j REDIRECT --to-ports 22
# 80 -> 8000
${IPT} -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8000
# allow incoming ssh from chosen IPs
for s in $SSH_HOSTS_ALLOWED;
do
${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 22 --syn -m state --state NEW -j ACCEPT
${IPT} -A INPUT -p tcp -i eth0 -s $s --dport 443 --syn -m state --state NEW -j ACCEPT
done
# allow all packets ESTABLISHED,RELATED
${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ICMP ping (or would be bteer to restrict it to the local net?)
${IPT} -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
${IPT} -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
${IPT} -A INPUT -d 224.0.0.1 -j DROP
${IPT} -A INPUT -m limit --limit 5/min -j LOG #log is good/handy for 'debugging'
# ${IPT} -A INPUT -m limit --limit 5/min -j ULOG #log is good/handy for 'debugging'
${IPT} -A INPUT -j DROP #or REJECT/DROP
;;
stop)
#/sbin/sysctl -w net.ipv4.ip_forward=0
# flushing all rules
${IPT} -F
${IPT} -F -t nat
${IPT} -X
# setting default filter policy
${IPT} -P INPUT ACCEPT
${IPT} -P OUTPUT ACCEPT
${IPT} -P FORWARD ACCEPT
;;
*)
$0 start
;;
esac
exit 0