#!/bin/bash
set -x
set -v
#firewall start
#reset fiewall

/etc/mysysconfig/my_firewall_reset

IPT=/sbin/iptables
MODPROBE=/sbin/modprobe

INET=eth1
#INET=ppp0
LAN=vmbr0
#MYIP=$ '/etc/mysysconfig/my_current_ip'



#forward  http
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 80 -j DNAT --to 192.168.80.11:80
$IPT -A FORWARD -i $INET -p tcp --dport 80 -j ACCEPT
#allow http
#$IPT -A INPUT -i $INET -p tcp --dport 80 -j ACCEPT

#forward https
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 443 -j DNAT --to 192.168.80.11:443
$IPT -A FORWARD -i $INET -p tcp --dport 443 -j ACCEPT
#allow https
#$IPT -A INPUT -i $INET -p tcp --dport 443 -j ACCEPT

#allow ovpn
$IPT -A INPUT -i $INET -p udp --dport 1194 -j ACCEPT

#forward fehr-vpn
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 8080 -j DNAT --to 192.168.80.20:8080
$IPT -A FORWARD -i $INET -p tcp --dport 8080 -j ACCEPT
$IPT -t nat -A PREROUTING -i $INET -p udp --dport 8080 -j DNAT --to 192.168.80.20:8080
$IPT -A FORWARD -i $INET -p udp --dport 8080 -j ACCEPT
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 8081 -j DNAT --to 192.168.80.20:8081
$IPT -A FORWARD -i $INET -p tcp --dport 8081 -j ACCEPT
#forward torrent
$IPT -t nat -A PREROUTING -p tcp -i $INET --dport 19904 -j DNAT --to-destination 192.168.80.50:19904
$IPT -t nat -A PREROUTING -p udp -i $INET --dport 19904 -j DNAT --to-destination 192.168.80.50:19904
$IPT -A FORWARD -p tcp --dport 19904 -j ACCEPT
$IPT -A FORWARD -p udp --dport 19904 -j ACCEPT

#forward Mass Effect 3 MP
$IPT -t nat -A PREROUTING -p udp -i $INET --dport 3659 -j DNAT --to-destination 192.168.80.50:3659
$IPT -t nat -A PREROUTING -p udp -i $INET --dport 6000 -j DNAT --to-destination 192.168.80.50:6000
$IPT -t nat -A PREROUTING -p udp -i $INET --dport 7673 -j DNAT --to-destination 192.168.80.50:7673
$IPT -A FORWARD -p udp --dport 3659 -j ACCEPT
$IPT -A FORWARD -p udp --dport 6000 -j ACCEPT
$IPT -A FORWARD -p udp --dport 7673 -j ACCEPT

#forward Squid from VPN
$IPT -t nat -A PREROUTING -i tun+ -p tcp --dport 3128 -j DNAT --to 192.168.80.14:3128
$IPT -A FORWARD -p tcp --dport 3128 -j ACCEPT

#forward rdp-proxy for windows home server
$IPT -t nat -A PREROUTING -p tcp -i $INET --dport 4125 -j DNAT --to-destination 192.168.80.10:4125
$IPT -t nat -A PREROUTING -p tcp -i tun9 --dport 4125 -j DNAT --to-destination 192.168.80.10:4125
$IPT -A FORWARD -p tcp --dport 4125 -j ACCEPT

#allow ping
$IPT -A INPUT -i $INET -p icmp --icmp-type 8 -j ACCEPT

#forward mail
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 25 -j DNAT --to 192.168.80.9:25
$IPT -t nat -A PREROUTING -i $INET -p udp --dport 25 -j DNAT --to 192.168.80.9:25
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 110 -j DNAT --to 192.168.80.9:110
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 143 -j DNAT --to 192.168.80.9:143
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 993 -j DNAT --to 192.168.80.9:993
$IPT -t nat -A PREROUTING -i $INET -p tcp --dport 995 -j DNAT --to 192.168.80.9:995
$IPT -A FORWARD -i $INET -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -i $INET -p udp --dport 25 -j ACCEPT
$IPT -A FORWARD -i $INET -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -i $INET -p tcp --dport 143 -j ACCEPT
$IPT -A FORWARD -i $INET -p tcp --dport 993 -j ACCEPT
$IPT -A FORWARD -i $INET -p tcp --dport 995 -j ACCEPT

#allow igmpproxy
$IPT -I FORWARD -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT
$IPT -I FORWARD -s 192.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT
$IPT -I INPUT -d 224.0.0.0/4 -j ACCEPT
$IPT -I FORWARD -d 224.0.0.0/4 -j ACCEPT

#allow pptp
#$IPT -A INPUT -i $INET -p tcp --dport 1723 -j ACCEPT
#$IPT -A INPUT -i $INET -p 47 -j ACCEPT
#$IPT -A OUTPUT -o $INET -p tcp --sport 1723 -j ACCEPT
#$IPT -A OUTPUT -o $INET -p 47 -j ACCEPT

#deny ports
#23 telner
#135 MS DCOM
#139 samba
#445 samba
#631 cups
#2049 NFS
#4444 W32blaster
for PORT in 23 135 139 445 631 2049 4444;do
    $IPT -A INPUT -i $INET -p tcp --dport $PORT -j DROP
    $IPT -A OUTPUT -o $INET -p tcp --dport $PORT -j DROP
    $IPT -A INPUT -i $INET -p udp --dport $PORT -j DROP
    $IPT -A OUTPUT -o $INET  -p udp --dport $PORT -j DROP
done

#deny access from internet
$IPT -N wall
$IPT -A wall -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A wall -m conntrack --ctstate NEW -i $LAN -j ACCEPT
$IPT -A wall -m state --state NEW -i $LAN -j ACCEPT
#$IPT -A wall -m conntrack --ctstate NEW -i tun+ -j ACCEPT
$IPT -A wall -m state --state NEW -i tun+ -j ACCEPT
#$IPT -A wall -m conntrack --ctstate NEW -i lo -j ACCEPT
$IPT -A wall -m state --state NEW -i lo -j ACCEPT
#$IPT -A wall -m conntrack --ctstate NEW -i venet+ -j ACCEPT
$IPT -A wall -m state --state NEW -i venet+ -j ACCEPT
$IPT -A wall -i $INET -j DROP
$IPT -A wall -j ACCEPT
$IPT -A INPUT -j wall
$IPT -A OUTPUT -j wall

#masquerading
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

#OPENVPN WORK
$IPT -A FORWARD -i tun+ -o $LAN -j ACCEPT
$IPT -A FORWARD -i $LAN -o tun+ -j ACCEPT

# Allow TUN interface connections to OpenVPN server
$IPT -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
$IPT -A FORWARD -i tun+ -j ACCEPT

# Allow packets from private subnets
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A FORWARD -i $LAN -j ACCEPT

$IPT -t nat -A POSTROUTING -s 192.168.80.0/24 -o tun9 -j MASQUERADE

$IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
