#!/bin/bash
#
# Flush all current rules and chains from iptables
#
 
IPT="/sbin/iptables"
 
$IPT -F
$IPT -X
$IPT -t nat -F
 
# Define a default policy set.
 
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
 
# Allow inbound traffic on the loopback interfaces.
 
$IPT -A INPUT -i lo -j ACCEPT

# Allow traffic input and forwarding for the tun interface.

$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A FORWARD -i tun+ -j ACCEPT
$IPT -A FORWARD -i enp1s0 -o tun+ -j ACCEPT

# Allow already established connections.
 
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Allow new OpenVPN connections on UDP port 1194.
#

$IPT -A INPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT

# Allow forwarding traffic through the VPN.

$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE

#
# Allow new SSH connections on tcp port 22 but rate limit connection attempts to 3 every 5 minutes.
#
 
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --name SSH -j DROP
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

#
# Allow new inbound Tor relay connections on port 443.
#

$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT