#!/bin/sh
WAN_IP='194.109.198.170'
LAN_IP_NET='192.168.2.0/24'
WLAN_IP_NET='192.168.3.0/24'
OUT_DEV=eth0
# = NIC with internet connection
IN_DEV=eth1
# = internal network interface
WLAN_DEV=eth2
# = amsterdam wireless network
FORWARD_IP='192.168.2.151'
# = where ports are forwarded to

# Flush
iptables -F INPUT 
iptables -F FORWARD 
iptables -F OUTPUT 
iptables -F -t nat

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#share net connection on LAN:
iptables -A FORWARD -j ACCEPT -i $IN_DEV -o $OUT_DEV
iptables -A FORWARD -i $OUT_DEV -o $IN_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
#share net connection on WLAN:
iptables -A FORWARD -j ACCEPT -i $WLAN_DEV -o $OUT_DEV
iptables -A FORWARD -i $OUT_DEV -o $WLAN_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade (static NAT)
iptables -t nat -A POSTROUTING -o $OUT_DEV -j SNAT --to $WAN_IP

# Allow unrestricted connections over the local interface and LAN interface
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i $IN_DEV -s 0/0 -d 0/0 -j ACCEPT

# Deny spoofed connections
iptables -A INPUT -i $OUT_DEV -s $WAN_IP/32 -j DROP
iptables -A INPUT -i $OUT_DEV -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $OUT_DEV -s 127.0.0.0/8 -j DROP

#DoS
#ipptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Furtive port scanner:
#iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#Ping of death:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


#allow some needed things
iptables -A INPUT -i $OUT_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --syn -j ACCEPT
iptables -A INPUT -p udp --source-port 53 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
	
# -- Opened ports -- (that is, opened on eth0 and eth2, since eth1
# is completely open anyway)

# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp --dport 22 --syn	#SSH
iptables -A INPUT -j ACCEPT -p tcp --dport 25 --syn	#SMTP
iptables -A INPUT -j ACCEPT -p tcp --dport 465 --syn	#SMTP ssl
iptables -A INPUT -j ACCEPT -p tcp --dport 53 --syn	#zone transfer
iptables -A INPUT -j ACCEPT -p tcp --dport 80 --syn	#HTTP
iptables -A INPUT -j ACCEPT -p tcp --dport 8080 --syn	#usermin
iptables -A INPUT -j ACCEPT -p tcp --dport 443 --syn	#HTTPS
iptables -A INPUT -j ACCEPT -p tcp --dport 993 --syn	#IMAP ssl
iptables -A INPUT -j ACCEPT -p tcp --dport 636 --syn	#ldaps
iptables -A INPUT -j ACCEPT -p tcp --dport 5222 --syn	#jabber c2s
iptables -A INPUT -j ACCEPT -p tcp --dport 5223 --syn	#jabber c2s ssl
iptables -A INPUT -j ACCEPT -p tcp --dport 5269 --syn	#jabber s2s

iptables -A INPUT -j ACCEPT -p tcp --dport 1414 --syn	#DC
iptables -A INPUT -j ACCEPT -p tcp --dport 4662 --syn	#edonkey
iptables -A INPUT -j ACCEPT -p tcp --dport 6882 --syn	#bittorrent
iptables -A INPUT -j ACCEPT -p tcp --dport 2234 --syn	#soulseek
#iptables -A INPUT -j ACCEPT -p tcp --dport 4444 --syn	#mldonkey DC
iptables -A INPUT -j ACCEPT -p tcp --dport 6667 --syn	#IRC
iptables -A INPUT -j ACCEPT -p tcp --dport 9999 --syn	#IRC ssl

#udp services
iptables -A INPUT -j ACCEPT -p udp --dport 53		#DNS
iptables -A INPUT -j ACCEPT -p udp --dport 123		#NTP
iptables -A INPUT -j ACCEPT -p udp --dport 1414		#DC
iptables -A INPUT -j ACCEPT -p udp --dport 4666		#edonkey
iptables -A INPUT -j ACCEPT -p udp --dport 4444		#mldonkey DC

# -- Port forwarding --

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#DC
iptables -A FORWARD -j ACCEPT -p tcp --dport 1412:1413
iptables -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport 1412:1413 -j DNAT --to "$FORWARD_IP"
iptables -A FORWARD -j ACCEPT -p udp --dport 1412:1413
iptables -t nat -A PREROUTING -i $OUT_DEV -p udp --dport 1412:1413 -j DNAT --to "$FORWARD_IP"

#Gnome/Netmeeting:
iptables -A FORWARD -j ACCEPT -p tcp --dport 30000:30010
iptables -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport 30000:30010 -j DNAT --to "$FORWARD_IP"
iptables -A FORWARD -j ACCEPT -p tcp --dport 1720
iptables -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport 1720 -j DNAT --to "$FORWARD_IP"
iptables -A FORWARD -j ACCEPT -p udp --dport 5000:5007
iptables -t nat -A PREROUTING -i $OUT_DEV -p udp --dport 5000:5007 -j DNAT --to "$FORWARD_IP"

#Drop everything else:
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward