netfilter.sh

# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Accept incoming packets from localhost and LAN.
iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Accept incoming loopback"
iptables -A INPUT -i $BRIDGE -j ACCEPT -m comment --comment "Accept incoming LAN"

# Accept incoming packets from the WAN if the router initiated the connection.
iptables -A INPUT -i $WAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept incoming established, related WAN"

# Forward LAN packets to the WAN.
iptables -A FORWARD -i $BRIDGE -o $WAN -j ACCEPT -m comment --comment "Forward LAN to WAN"

# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i $WAN -o $BRIDGE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Forward established, related WAN to LAN"

# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE -m comment --comment "Masquerade outgoing WAN"

# Don't allow anything from the WAN to talk to containers.
iptables -N DOCKER-USER || true
iptables -I DOCKER-USER -i $WAN -o docker0 -j DROP -m comment --comment "Drop incoming WAN to containers"

# Allow containers access to the host.
iptables -A INPUT -i docker0 -j ACCEPT -m comment --comment "Accept containers to host"

# Allow containers access to the WAN.
iptables -I DOCKER-USER -i $WAN -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept containers to WAN"