#!/bin/bash
IPTABLES="/sbin/iptables"

/etc/init.d/iptables stop

$IPTABLES -t filter -X
$IPTABLES -t filter -F
$IPTABLES -t nat -X
$IPTABLES -t nat -F

# MASQUERADING ppp0, ppp1, eth0
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp9 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# FILTER LOCALHOST accept all
$IPTABLES -t filter -A INPUT -s localhost -j ACCEPT

# FORWARD ETH0 Oleg, Angela-PC, Angela-Notebook, Ajrat
#ALLOWED_MAC=( '00:17:31:0F:B8:D7' '00:11:5B:02:EF:D8' '00:1B:38:71:67:51' '00:1E:8C:40:D3:6B' )
#for mac in ${ALLOWED_MAC[@]}; do
#       $IPTABLES -t filter -A FORWARD -i eth0 -o ppp0 -m mac --mac-source $mac -m state --state NEW -j ACCEPT
#done

# FORWARD ETH1 accept all, will be used DHCP
$IPTABLES -t filter -A FORWARD -i eth1 -j ACCEPT

# Accept selected ports
TCP_ALLOWED_PORTS=( 22 137 138 139 445 )
UDP_ALLOWED_PORTS=( 137 138 139 445 )
for port in ${TCP_ALLOWED_PORTS[@]}; do
        $IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport $port -m state --state NEW -j ACCEPT
done
for port in ${UDP_ALLOWED_PORTS[@]}; do
        $IPTABLES -t filter -A INPUT -i eth0 -p udp --dport $port -m state --state NEW -j ACCEPT
done

# Accept already established connections
$IPTABLES -t filter -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 80 -j DNAT --to-destination 195.135.236.52
iptables -t nat -A POSTROUTING -p tcp -s 195.135.236.52 --sport 80 -j SNAT --to-source 10.0.0.1

$IPTABLES -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 123 -j DNAT --to 10.0.0.1:80
$IPTABLES -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -j ACCEPT

# Drop anymore FORWARD and INPUT
$IPTABLES -t filter -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
$IPTABLES -t filter -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP

/etc/init.d/iptables save
/etc/init.d/iptables start