#!/bin/sh

alias iptables=/sbin/iptables
LAN=eth0
DMZ=eth1
WAN=ppp0
LOOPBACK=lo

case "$1" in
 start)

  iptables -F
  iptables -X
  iptables -t nat -F
  iptables -t nat -X

  iptables -P OUTPUT DROP
  iptables -P INPUT DROP
  iptables -P FORWARD DROP

### Routing
# masquerading
  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# keep existing connections
  iptables -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# packet forwarding

# again: keep existing connections
  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

  for IFACE in $LAN $DMZ; do \
# allow forwarding of anything from inside to outside
   iptables -A FORWARD -i $IFACE -o $WAN -j ACCEPT

  done

  iptables -A FORWARD -i $LAN -o $DMZ -j ACCEPT
  iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
                      -i $DMZ -o $LAN -j ACCEPT 
  iptables -A FORWARD -p tcp --dport 25 -i $DMZ -o $LAN -j ACCEPT 

  echo 1 > /proc/sys/net/ipv4/ip_forward

# accept connections to and from LAN, DMZ, and loopback
  for IFACE in $LAN $DMZ $LOOPBACK; do \
   iptables -A OUTPUT -o $IFACE -j ACCEPT
   iptables -A INPUT -i $IFACE -j ACCEPT
  done

# allow the server to start outgoing connections
  iptables -A OUTPUT -o $WAN -j ACCEPT

# allow icmp messages
  iptables -A INPUT -p icmp -j ACCEPT

# drop everything else from outside
  iptables -A INPUT -i $WAN -j DROP

  iptables -A FORWARD -j REJECT
  iptables -A INPUT -j REJECT
  iptables -A OUTPUT -j REJECT
  ;;
 stop)
  echo 0 > /proc/sys/net/ipv4/ip_forward
  echo 0 > /proc/sys/net/ipv4/ip_dynaddr
  /sbin/route del -net 192.168.254.0 netmask 255.255.255.0 gw maeh
  iptables -F
  iptables -X
  iptables -t nat -F
  iptables -t nat -X
  iptables -P INPUT ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  ;;
 restart|force-restart|reload|force-reload)
  $0 stop
  $0 start
  ;;
esac
