#!/bin/sh
#
#
# Original File
#	http://www.Linux-Sec.net/Wireless/AP/rc.firewall
#	http://www.linuxquestions.org/questions/answers.php?action=viewarticle&artid=45
#
#
###############################################################################
   #
   # The syntax of iptables is basically:
   #
   #    iptables [-t table] -ACDI CHAIN rule-specification -j TARGET [options]
   #
   ###############################################################################

   IPT=/usr/sbin/iptables

   # Use a trusted PATH

   PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
   export PATH

   # Disable IP forwarding until the rules are in place.

   echo 0 > /proc/sys/net/ipv4/ip_forward

   # Install the necessary kernel modules.

   /sbin/modprobe ip_tables
   /sbin/modprobe ip_nat_ftp
   /sbin/modprobe ip_conntrack_ftp

   # Flush the tables and delete the non-builtin chains
   # to ensure that we are starting from scratch.

   for i in filter nat mangle
   do
      $IPT --table $i --flush
      $IPT --table $i --delete-chain
   done

   # Set up a user-defined chain called "rules" in the filter table that
   # prevents anyone from connecting to local computers from the outside, but
   # allows local computers to establish connections to the outside. We'll
   # specify that the INPUT and FORWARD chains use the rules defined in our
   # "rules" chain after we've established those rules.

   $IPT --table filter --new-chain rules

   # Accept traffic (and related traffic on different ports) coming in on
   # any interface if the traffic has been seen before in both directions.

   $IPT --table filter \
        --append rules \
        --match state \
        --state ESTABLISHED,RELATED \
        --jump ACCEPT

   # Accept new traffic coming in on any interface except eth0 (the
   # Internet interface).

   $IPT --table filter \
        --append rules \
        --in-interface ! eth0 \
        --match state \
        --state NEW \
        --jump ACCEPT

   # The catch-all rule: drop new or invalid traffic coming in on any
   # network interface.

   $IPT --table filter \
        --append rules \
        --match state \
        --state NEW,INVALID \
        --jump DROP

   # Use the rules defined in the "rules" chain for the INPUT and
   # FOREWARD chains.

   $IPT --table filter \
        --append INPUT \
        --jump rules

   $IPT --table filter \
        --append FORWARD \
        --jump rules

   # Make sure the default policy for the filter table's INPUT and
   # FORWARD chains is DROP rather than ACCEPT, in case we misconfigure
   # the firewall.

   $IPT --table filter \
        --policy INPUT DROP

   $IPT --table filter \
        --policy FORWARD DROP


   # Add masquerading to the POSTROUTING chain in the nat table.

   $IPT --table nat \
        --append POSTROUTING \
        --out-interface eth0 \
        --source 192.168.1.0/24 \
        --destination 0/0 \
        --jump MASQUERADE

   # Enable IP forwarding

   echo 1 > /proc/sys/net/ipv4/ip_forward
#
#
# End of file