#!/bin/sh
#
# Incoming                   /     \          Outgoing
#          -->[Routing ]--->|FORWARD|------->
#             [Decision]     \_____/        ^
#                  |                        |
#                  v                      ____
#                 ___                    /    \
#                /   \                  |OUTPUT|
#               |INPUT|                  \____/
#                \___/                      ^
#                  |                        |
#                  `----> Local Process ----'

# lan interface
iface=ixp1

# lan network
network=192.168.200.0/24

# path to iptables
ipt=/sbin/iptables

##############
## Defaults ##
##############

for i in filter nat mangle; do
	# flush all tables
	$ipt -t $i -F

	# zero counters
	$ipt -t $i -Z

	# delete user-defined chains
	$ipt -t $i -X
done

# default policy
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP

##############
## Loopback ##
##############
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

##########
## ICMP ##
##########

# we allow all ICMP types, but only at a reasonable rate so
# that we don't get flooded.

for i in INPUT OUTPUT FORWARD; do
	# accept up to 100 unfragmented icmp packets per second
	$ipt -A $i -p icmp ! -f -m limit --limit 100/second -j ACCEPT

	# drop any other icmp packets
	$ipt -A $i -p icmp -j DROP
done

##################################
## Traffic to/from the firewall ##
##################################

# this can come before all the other stuff because we're very
# paranoid regarding traffic destined/originating from ourselves.

# allow traffic to/from the lan
$ipt -A INPUT -i $iface -s $network -j ACCEPT
$ipt -A OUTPUT -o $iface -d $network -j ACCEPT

# allow traffic originating from pris
$ipt -A INPUT -i ! $iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -o ! $iface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

for i in INPUT OUTPUT; do
	# we're done here
	$ipt -A $i -j RETURN
done

#########################
## Traffic to/from LAN ##
#########################

# allow all traffic originating from us
$ipt -A FORWARD -i $iface -s $network -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -o $iface -d $network -m state --state ESTABLISHED,RELATED -j ACCEPT


# allow ssh, ident, smtp, http, https from anywhere
#for i in 22 110 113 25 80 443 3128; do
#   $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i --syn -m state --state NEW -j ACCEPT
#	$ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT
#	$ipt -A FORWARD -o $iface -s $network -p tcp --source-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT
#done