Firewall default script

rc.firewall

#!/bin/sh

# (c) Malo Skrylevo

set -x

#service $IPTABLES restart

# interfaces IF0 - external LAN iface, IF1,IF2 - internal LAN ifaces
IF0=enp2s0
IF1=vboxnet0
IF2=vboxnet1

# uncomment if you have used IP fowarding(NAT)
echo 1 > /proc/sys/net/ipv4/ip_forward

# uncomment if you have used dynamic inet address got from inet provider
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr

IPTABLES=`which $IPTABLES` || /sbin/$IPTABLES

# disable all incoming packets
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT

# flush all rules
$IPTABLES -F
$IPTABLES -t nat -F

# enable masquerade (dynamic NAT)
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE -o $IF0
# uncomment if you want to enable NAT to fixed IP address external router
#$IPTABLES -t nat -A POSTROUTING -o $IF0 -s 192.168.57.0/24 -j SNAT --to-source 192.168.123.1
#$IPTABLES -t nat -A POSTROUTING -o $IF0 -s 192.168.125.0/24 -j SNAT --to-source 192.168.123.1

# uncomment if you want to forward TCP packets from external LAN to an internal
# server with specified port with using port remap
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3080 -j DNAT --to-destination 192.168.57.2:80
$IPTABLES -t nat -A OUTPUT -p tcp --dport 3080 -j DNAT --to-destination 192.168.57.2:80

# uncomment if you want to forward both TCP packets sent to the specified port
# from external LAN to an internal server to the same port
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 192.168.57.2
$IPTABLES -t nat -A OUTPUT -p tcp --dport 3000 -j DNAT --to-destination 192.168.57.2

# fix all policies to required behaviour
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i IF1 -j ACCEPT
$IPTABLES -A FORWARD -i IF2 -j ACCEPT
$IPTABLES -A INPUT -j ACCEPT