#!/bin/sh
### BEGIN INIT INFO
# Provides: scriptname
# Required-Start: $all
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Gateway and Firewall script.
### END INIT INFO
printf "Gateway/Firewall IPTables Script"
printf "."
# Variables.
IPC=/sbin/iptables
IF=eth1
OF=eth0
printf "."
# Flush existing iptables setup.
$IPC -F
$IPC -X
$IPC -Z
$IPC -t nat -F
$IPC -t mangle -F
# LOCKDOWN: Set default policies to DROP.
# INFO: No point adding -j ACCEPT rules if everything is open
# to begin with. Policies takes action if no rules are matched.
$IPC -P INPUT DROP
$IPC -P FORWARD DROP
printf "."
# INPUT chain.
# INFO:
# Accept loopback traffic.
# Accept IF traffic from IFNET.
# Accept established connections from OF.
# Accept SSH connections on OF.
$IPC -A INPUT -i lo -j ACCEPT
$IPC -A INPUT -i $IF -j ACCEPT
$IPC -A INPUT -i $OF -m state --state ESTABLISHED,RELATED -j ACCEPT
# $IPC -A INPUT -i $OF -p tcp --dport 22 -j ACCEPT
printf "."
# FORWARD chain.
# INFO: Forward packets that has been accepted on INPUT chain above.
$IPC -A FORWARD -i $IF -j ACCEPT
$IPC -A FORWARD -i $OF -m state --state ESTABLISHED,RELATED -j ACCEPT
printf "."
# Masquerade.
# INFO: Dynamic SNAT - change source address of connections
# from eth1 to eth0 since we are forwarding through.
$IPC -t nat -A POSTROUTING -o $OF -j MASQUERADE
# Preroute all DNS requests to our own dnsmasq service.
# $IPC -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 5353
# $IPC -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5353
printf "."
# Enable forwarding in kernel.
# INFO: This is all you really need to have basic gateway functionality.
echo 1 > /proc/sys/net/ipv4/ip_forward
printf " Done.\n"