#!/bin/sh

# flush all tables
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F 

# default policy ACCEPT (if none of the other policies match, apply these)
# /sbin/iptables -P INPUT ACCEPT
# /sbin/iptables -P OUTPUT ACCEPT
# /sbin/iptables -P FORWARD ACCEPT

# default policy (if none of the other policies match, apply these)
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

# /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# DNAT Example, forwarding all requests to 192.168.243.43
#/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.243.43
#/sbin/iptables -A FORWARD -d 192.168.243.43 -p tcp -j ACCEPT

# DNAT Example, forwarding only http requests to 192.168.243.43, ssh requests to 192.168.243.55
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.243.43
/sbin/iptables -A FORWARD -d 192.168.243.43 -p tcp --dport 80 -j ACCEPT

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.243.55
/sbin/iptables -A FORWARD -d 192.168.243.55 -p tcp --dport 22 -j ACCEPT

#SNAT Example 
/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -j SNAT --to 192.168.242.34


# /sbin/iptables -A FORWARD -d 192.168.243.43 -p tcp --dport 22 -j ACCEPT

# /sbin/iptables -A FORWARD -d 192.168.242.43 -p tcp --dport 22 -j ACCEPT

# /sbin/iptables -t nat -A PREROUTING -i eth0 --dport 22 -j DNAT 192.168.243.43

# so we can talk to ourselves
#/sbin/iptables -A INPUT -i lo -j ACCEPT
#/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# 192.168.242.32 is bad so don't allow them to echo
# /sbin/iptables -A INPUT -s 192.168.242.32 -p tcp --dport 7 -j DROP
# /sbin/iptables -A OUTPUT -d 192.168.242.32 -p tcp --dport 7 -j DROP

# 192.168.242.32 is bad so don't allow them to ping us or anyone we route to
# /sbin/iptables -A INPUT -s 192.168.242.32 -p icmp --icmp-type 8 -j DROP
# /sbin/iptables -A FORWARD -s 192.168.242.32 -p icmp --icmp-type 8 -j DROP
# /sbin/iptables -A OUTPUT -d 192.168.242.32 -p icmp --icmp-type 8 -j DROP

# 192.168.242.32 is bad so don't allow them to ssh
# /sbin/iptables -A INPUT -s 192.168.242.32 -p tcp --dport 22 -j DROP
# /sbin/iptables -A OUTPUT -d 192.168.242.32 -p tcp --dport 22 -j DROP


# /sbin/iptables -A INPUT -s 142.150.3.0/24 -p tcp --dport 22 -j ACCEPT

# 192.168.242.32 is bad, don't allow them to connecct
# /sbin/iptables -A INPUT -s 192.168.242.32 -j DROP
# /sbin/iptables -A OUTPUT -d 192.168.242.32 -j DROP

# so the local network can talk to us
#/sbin/iptables -A INPUT -s 192.168.242.0/24 -j ACCEPT
#/sbin/iptables -A OUTPUT -d 192.168.242.0/24 -j ACCEPT