#!/bin/bash

# Turn on packet forwarding (better done from /etc/sysctl.conf)
#echo 1 > /proc/sys/net/ipv4/ip_forward

IPTAB=/sbin/iptables

INT="eth1"
EXT="eth0"
ME="10.0.0.1"

# get rid of any existing chains
$IPTAB --flush 
$IPTAB --flush -t nat
$IPTAB -X

# deny all traffic to start
$IPTAB --policy INPUT        DROP
$IPTAB --policy OUTPUT       DROP
$IPTAB --policy FORWARD      ACCEPT

# allow all internal traffic on the loopback interface
$IPTAB -A OUTPUT -j ACCEPT -o lo
$IPTAB -A INPUT  -j ACCEPT -i lo

# allow all traffic on internal nic (the private network interface)
$IPTAB -A OUTPUT -j ACCEPT -o $INT
$IPTAB -A INPUT  -j ACCEPT -i $INT

# General purpose rule to allow outgoing connections 
$IPTAB -A OUTPUT -o $EXT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTAB -A INPUT  -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

# optional rule to allow incoming connections for certain services
# Web server rule
#$IPTAB -A OUTPUT -o $EXT -p tcp -s $ME --sport 80 \
#                 -m state --state ESTABLISHED -j ACCEPT
# Sendmail rule
#$IPTAB -A OUTPUT -o $EXT -p tcp -s $ME --sport 25 \
#                 -m state --state ESTABLISHED -j ACCEPT
# SSH rule
#$IPTAB -A OUTPUT -o $EXT -p tcp -s $ME --sport 22 \
#                 -m state --state ESTABLISHED -j ACCEPT

# NAT outgoing packets to gateway address (a DSL modem in our examples)
#$IPTAB -A POSTROUTING -t nat -o $EXT -j SNAT --to 10.0.0.254
