#!/bin/bash

#default_policy=ACCEPT
default_policy=DROP

good_guys=10.0.0.0/8
bad_guys=10.0.0.0/8

any_ip=0.0.0.0/0
any_port=0:65535

modprobe ip_conntrack_ftp

iptables -P INPUT "$default_policy"
iptables -P OUTPUT "$default_policy"
iptables -P FORWARD "$default_policy"

iptables -F
iptables -t nat -F
iptables -X

iptables -N DEST_INET
iptables -A DEST_INET -d '10.0.0.0/8' -j RETURN
iptables -A DEST_INET -d '172.16.0.0/12' -j RETURN
iptables -A DEST_INET -d '192.168.0.0/16' -j RETURN
iptables -A DEST_INET -d '169.254.0.0/16' -j RETURN

iptables -N NORMAL
iptables -A NORMAL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -j NORMAL

iptables -A OUTPUT -j NORMAL
iptables -A OUTPUT -j DEST_INET

iptables -A FORWARD -j NORMAL
iptables -A FORWARD -j DEST_INET

# Allow pings
iptables -A NORMAL -m conntrack --ctstate NEW \
	-p icmp --icmp-type echo-request -j ACCEPT

function accept_new ()
{
	iptables -A "$1" \
		-m conntrack --ctstate NEW \
		-m multiport -p "$4" --dports "$5" \
		-s "$2" -d "$3" -j ACCEPT
}

# No new connections to bad guys
iptables -A NORMAL -m conntrack --ctstate NEW -d $bad_guys -j DROP

# Allow ports here:
accept_new DEST_INET "$any_ip" "$any_ip" tcp domain
accept_new DEST_INET "$any_ip" "$any_ip" tcp http,https

#accept_new INPUT "$any_ip" "$any_ip" tcp pop3