*.*             /var/log/iptables

#!/bin/bash

###### INTERNET
inet_if=eth0
inet_dhcp=1
inet_ip=
inet_netmask=

###### LAN
lan_if=eth1
lan_ip=192.168.0.1
lan_netmask=255.255.255.0
lan_dhcp_net=192.168.0.0
lan_dhcp_start=192.168.0.10
lan_dhcp_stop=192.168.0.99

htpc_ip=192.168.0.2
danielpc_ip=192.168.0.3


###### NEEDED BY THE FIREWALL
ifconfig $lan_if $lan_ip netmask $lan_netmask
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F

iptables -I INPUT 1 -i eth0 -j LOG
iptables -I FORWARD 1 -i eth0 -j LOG

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

### Internet --> LAN (Portforwarding)
iptables -t nat -A PREROUTING -i $inet_if -p tcp --dport 24178 -j DNAT --to-destination $htpc_ip        # uTorrent


### Internet --> LAN (Accesslist)
iptables -A FORWARD -i $inet_if -p tcp --dport 24178 -j ACCEPT


# Internet -> Firewall

iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT           # FTP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT           # SSH
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set -j LOG
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT           # HTTP
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT          # HTTPS
iptables -A INPUT -i eth0 -p udp --dport 514 -j ACCEPT

####### Needed by the FIREWALL
iptables -A INPUT -i $inet_if -m state --state ESTABLISHED,RELATED -j ACCEPT    # Accept INTERNET(related) -> FIREWALL
iptables -A INPUT -i $lan_if -j ACCEPT                                          # Accept LAN -> FIREWALL
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT           # Accept FIREWALL(new,related) -> INTERNET
iptables -A FORWARD -i $inet_if -m state --state RELATE,ESTABLISHED -j ACCEPT   # Accept INTERNET(related) -> LAN
iptables -A FORWARD -i $lan_if -j ACCEPT                                        # Accept LAN -> INTERNET

killall -9 klogd
klogd -s