EXT_INT="eth1"                  # Internet interface
LOOPBACK_INT="lo"               # Loopback
LOCAL_INT="eth0"                # internal interface
IPADDR="10.2.135.X"             # your IP address
LOCALNET="192.168.1.0/24"       # Your private IP range

# Flush your tables
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Setup policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable TCP SYN Cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Enable defragging protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Enable broadcast protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable IP spoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

# Allow unlimited traffic on loopback int
  iptables -A INPUT  -i $LOOPBACK_INT  -j ACCEPT
  iptables -A OUTPUT -o $LOOPBACK_INT  -j ACCEPT

# Allow internal machines to access firewall
  iptables -A INPUT  -i $LOCAL_INT -s $LOCALNET -j ACCEPT
  iptables -A OUTPUT -o $LOCAL_INT -d $LOCALNET -j ACCEPT

# Create a user defined chain that will filter both the INPUT
# and FORWARD chains
# Prevents rule duplication for these chains

  iptables -t filter -N custom
  iptables -A INPUT -j custom
  iptables -A FORWARD -j custom

# Except established and related connections from the outside world
  iptables -t filter -A custom -i $EXT_INT -m state \
        --state ESTABLISHED,RELATED -j ACCEPT

# Allow machines on the inside to establish new connections
  iptables -t filter -A custom -o $EXT_INT -m state \
        --state NEW,ESTABLISHED,RELATED -s $LOCALNET_1 -j ACCEPT

# Port forwarding for ssh
# Allow new connections to port 22 from outside
  iptables -A custom -p tcp --dport 22 -m state --state \
        NEW,ESTABLISHED,RELATED -j ACCEPT

# forward to machine on local net
  iptables -t nat -A PREROUTING -d $IPADDR -i $EXT_INT -p tcp \
        --dport 22 -j DNAT --to-destination 192.168.1.15:22

# Allow new connections from outside
# To and from ports 80 and 443
  iptables -A custom -i $EXT_INT -p tcp -m multiport \
        --sport 80,443 -m state --state \
        NEW,ESTABLISHED,RELATED -j ACCEPT

  iptables -A custom -i $EXT_INT -p tcp -m multiport \
        --sport 80,443 -d $IPADDR --destination-port \
        $UNPRIVPORTS -j ACCEPT
 
# Allow outside world to access web server
  iptables -A custom -i $EXT_INT -p tcp -m multiport \
        --dport 80,443 -m state --state \
        NEW,ESTABLISHED,RELATED -j ACCEPT

# Forward web incoming web requests to internal web server
  iptables -t nat -A PREROUTING -d $IPADDR -p tcp --dport 80 \
        -j DNAT --to-destination 192.168.1.20:80

  iptables -t nat -A PREROUTING -d $IPADDR -p tcp --dport 443 \
        -j DNAT --to-destination 192.168.1.20:443

# Mail exchange: allow incoming packets to imap and sendmail ports
  iptables -A custom -i $EXT_INT -p tcp --dport 25 -m state \
        --state NEW,ESTABLISHED,RELATED -j ACCEPT

  iptables -A custom -i $EXT_INT -p tcp --dport 143 -m state \
        --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Forward incoming mail requests to internal web server
  iptables -t nat -A PREROUTING -d $IPADDR -i $EXT_INT -p tcp \
        --dport 25 -j DNAT --to-destination 192.168.1.20:25

  iptables -t nat -A PREROUTING -d $IPADDR -i $EXT_INT -p tcp \
        --dport 143 -j DNAT --to-destination 192.168.1.20:143

# Masquerade all outbound internal traffic.
  iptables -A POSTROUTING -t nat -o $EXT_INT -j MASQUERADE

# DROP incoming NFS packets from outside
  iptables -A INPUT  -i $EXT_INT -p tcp --syn \
        --destination-port 2049 -j DROP 

# REJECT NFS packets from internal network heading out
  iptables -A OUTPUT -o $EXT_INT -p tcp --syn \
        --destination-port 2049 -j REJECT

# DROP INCOMING TRACEROUTE packets
# traceroute uses source ports 32769:65535 destination ports 33434:33523
  iptables -A INPUT  -i $EXT_INT -p udp  \
     --source-port 32769:65535 \
     --destination-port 33434:33523 -j DROP

# log and drop NEW and INVALID connection attempts coming in
# from outside
  iptables -t filter -A custom -i $EXT_INT -m state \
        --state NEW,INVALID -j LOG --log-prefix "DROP custom: "

  iptables -t filter -A custom -i $EXT_INT -m state \
        --state NEW,INVALID -j DROP

# Use the cool limiting rules in netfilter to limit TCP connections
# to certain ports to 3 per second. Prevent DoS attacks.
  iptables -A INPUT -p tcp --syn -m limit --limit 3/s \
        --dport 21 -j ACCEPT
  iptables -A INPUT -p tcp --syn -m limit --limit 3/s \
        --dport 80 -j ACCEPT

# LOG and DROP all other packets
  iptables -t filter -A FORWARD -j LOG --log-prefix "DROP FORWARD: "
  iptables -t filter -A INPUT -j LOG --log-prefix "DROP INPUT: "
  iptables -t filter -P INPUT DROP
  iptables -t filter -P FORWARD DROP