#!/bin/bash
# These iptables rules are for the ADSL rourter 
# Flush previous rules, delete chains and reset counters
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Drop invalid state packets
iptables -A INPUT  -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state INVALID -j DROP
# Allow intranet (local LAN ) traffic between them.
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
iptables -A OUTPUT -s 172.16.0.0/12 -j ACCEPT
iptables -A INPUT -s 172.32.0.0/12 -j ACCEPT
iptables -A OUTPUT -s 172.32.0.0/12 -j ACCEPT
# Enable established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Enable access traffic, from the firewall to the LAN network
iptables -A OUTPUT -o eth0 -s 192.168.1.1 -d 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.1 -d 192.168.0.0/24 -j ACCEPT
# Incoming ssh from the LAN
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport 22  \
-m state --state NEW -j ACCEPT
## FORWARD
iptables -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
iptables -A FORWARD -i all -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i all -p udp -m udp --dport 4665 -j ACCEPT
iptables -A FORWARD -i all -p udp -m udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i all -p udp -m udp --dport 4665 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# ACCEPT reverse path packets for outbound TCP connections
#iptables -A FORWARD -i eth0 -p tcp ! --syn -j ACCEPT
# ACCEPT reverse path packets for outbound UDP "connections"
iptables -A FORWARD -i eth0 -p udp -m state --state ESTABLISHED -j ACCEPT
##################################################################
## Allow specific services and client to the certain ports     ##
#################################################################
#Allow DNS Traffic
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o ALL -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
#Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
iptables -A INPUT -p tcp --dport 80 -m  state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m  state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
# Allows SSH connections 
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#Allow FTP connections
iptables -A INPUT -p tcp --dport 21 -m  state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m  state --state NEW -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ALL -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state NEW -j ACCEPT
#Allow SMTP connections
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
#Allow vpn tunnel
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
#Allow for l2tp ipsec tunnel
iptables -A INPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 50 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 51 -m state --state NEW -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
#All other services
iptables -A INPUT -p tcp -m tcp --dport 6881 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6881:6890 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ALL -p udp -m multiport --ports 123 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j ACCEPT 
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4949 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 161 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 23 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4711 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4712 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4662 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4661 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4672 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4665 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9051 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8123 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8118 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9091 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2240 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2240 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 55256 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 55256 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 11116 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 11116 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6881 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6881 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6932 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6932 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 50 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 51 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 50 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25565 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4545 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5269 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3142 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 3142 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 10000 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 2368 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8084 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 8084 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
################################################################
#Allow internal  services such as Samba or name servers that do not need to access the Internet themselves
#iptables -A INPUT ! -i ppp0  -j ACCEPT
#iptables -A OUTPUT ! -o ppp0  -j ACCEPT

## LOGGING
iptables -A INPUT   -j LOG --log-level 2 --log-prefix '[FW INPUT]:    '
iptables -A OUTPUT  -j LOG --log-level 2 --log-prefix '[FW OUTPUT]:   '
iptables -A FORWARD -j LOG --log-level 2 --log-prefix '[FW FORWARD ]: '

###########################################################################




# Set up Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 \
         -j MASQUERADE