#!/bin/bash

# show iptable list
# iptables -L

# table initialize
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# in-close/out-open (default policy)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# in-open [localaddr or localif]
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -i eth0 -j ACCEPT
#iptables -A FORWARD -i lo -j ACCEPT
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT

# in-open [icmp from 192.168.1.0/24]
#iptables -A INPUT -p icmp -j ACCEPT
#iptables -A FORWARD -p icmp -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -p icmp -j ACCEPT

# in-open [established or related]
#iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# in-WANIF(src:local addr)-close
#iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
#iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
#iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP
#iptables -A FORWARD -i ppp+ -s 10.0.0.0/8 -j DROP
#iptables -A FORWARD -i ppp+ -s 172.16.0.0/12 -j DROP
#iptables -A FORWARD -i ppp+ -s 192.168.0.0/16 -j DROP

# in-WANIF(dst:local addr)-close
#iptables -A INPUT -i ppp+ -d 10.0.0.0/8 -j DROP
#iptables -A INPUT -i ppp+ -d 172.16.0.0/12 -j DROP
#iptables -A INPUT -i ppp+ -d 192.168.0.0/16 -j DROP
#iptables -A FORWARD -i ppp+ -d 10.0.0.0/8 -j DROP
#iptables -A FORWARD -i ppp+ -d 172.16.0.0/12 -j DROP
#iptables -A FORWARD -i ppp+ -d 192.168.0.0/16 -j DROP

# block WAN: syn flood (enable every 1req/1sec)
#iptables -A INPUT -i ppp+ -p tcp --syn -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -i ppp+ -p tcp --syn -m limit --limit 1/s -j ACCEPT
#iptables -A INPUT -i ppp+ -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -i ppp+ -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# in-open [web]
# iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT

# in-open [VNC]
# iptables -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT	
# iptables -A OUTPUT -p tcp -m tcp --sport 5901 -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -p tcp -m tcp --dport 5901 -j ACCEPT	
iptables -A OUTPUT -d 192.168.1.0/24 -p tcp -m tcp --sport 5901 -j ACCEPT

#  in-close [SSH brute force atack]
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

#  in-open [SSH] (notice: palce this after brute force block)
#iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport ssh -m state --state NEW -j ACCEPT