#!/bin/sh

IPTABLES=/usr/sbin/iptables
EXTERNAL="ppp0"
INTERNAL="eth0"

#j'ai vérifié avec modprobe -l les modules nécessaires sont bien chargés ;-)

#J'interdis TOUT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#Maintenant, je vais autoriser certains trucs ;-)
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A FORWRAD -i lo -j ACCEPT
$IPTABLES -A FORWARD -o lo -j ACCEPT

$IPTABLES -A INPUT -i $INTERNAL -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL -j ACCEPT
$IPTABLES -A FORWRAD -i $INTERNAL -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL -j ACCEPT

#Les logs
$IPTABLES -A LOG_DROP -j LOG --prefix-"[monmur]"

#Le partage de connexion
echo 1 >/proc/sys/net/ipv4/ip_forward

$IPTABLES -A POSTROUTING -t nat -o $EXTERNAL -j MASQUERADE

#La résolution de noms
$IPTABLES -A OUTPUT -o $EXTERNAL -p tcp --sport domain -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL -p udp --sport domain -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Vers le Web
$IPTABLES -A INPUT -i $EXTERNAL -p tcp -m multiport --sports www,https -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -O $EXTERNAL -p tcp -m multiport --dports www,https -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#le FTP
$IPTABLES -A INPUT -i $EXTERNAL -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -O $EXTERNAL -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

#le ping
$IPTABLES -A OUTPUT -o $EXTERNAL -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL -p icmp -m state --state NEW -m limit --limit 10/min -j ACCEPT

#
$IPTABLES -A FORWARD -j LOG_DROP
$IPTABLES -A INPUT -j LOG_DROP
$IPTABLES -A OUTPUT -j LOG_DROP