#!/bin/sh

PTTLOCALNET=192.168.1.0/24

iptables -F
iptables -F -t nat

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -i eth1 -m unclean -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m length --length 128:65535 -j DROP

iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 8 -m length --length 128:65535 -j DROP
###iptables -A FORWARD -m pkttype ---pkt-type multicast -j DROP
iptables -A FORWARD -m state --state INVALID -i eth0 -j REJECT

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

###################################
# to avoid repeated ssh password guessing

iptables -A INPUT -p tcp --dport 22 -s ! $PTTLOCALNET -m state --state NEW \
  -m recent --name sshattack --set
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent \
#  --name sshattack --rcheck --seconds 60 --hitcount 3 \
#  -j LOG --log-prefix 'SSH REJECT: '
iptables -A INPUT -p tcp --dport 22 -s ! $PTTLOCALNET -m state --state NEW \
  -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 \
  -j REJECT --reject-with tcp-reset

###################################

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -i eth0 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp -s $PTTLOCALNET --dport 22 -j ACCEPT

iptables -A INPUT -i eth0 -s $PTTLOCALNET -j ACCEPT

###################################

iptables -A POSTROUTING -t nat  -s $PTTLOCALNET -j MASQUERADE

#iptables -I INPUT -j LOG