#!/bin/bash

#Es recomana l' ús de "ippl" per logguejar les conexions
#Aquí no farem cap LOG

iptables -F 
iptables -t nat -F
iptables -P INPUT ACCEPT 
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#prioritat ssh
iptables -A OUTPUT -p tcp -m tos --tos 16 --dport 22 -j ACCEPT 
iptables -A OUTPUT -p tcp -m tos --tos 16 --sport 22 -j ACCEPT

#broadcast
iptables -A FORWARD -d 192.168.0.255 -j REJECT
iptables -A FORWARD -d 192.168.255.255 -j REJECT

#spoofing
iptables -A FORWARD -i ppp0 -s 192.168.0.0/24 -j REJECT
iptables -A INPUT -i ppp0 -s 192.168.0.0/24 -j REJECT

iptables -A FORWARD -d 127.0.0.0/255.0.0.0 -j REJECT
iptables -A INPUT -i ! lo -d 127.0.0.0/255.0.0.0 -j REJECT

iptables -A FORWARD -s 127.0.0.0/255.0.0.0 -j REJECT
iptables -A INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j REJECT

#cap forward < 1024
iptables -A FORWARD -p tcp -i ppp0 --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -i ppp0 --dport 0:1024 -j ACCEPT

#activar masquerading des de dins
iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED \
	-d 192.168.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

#tallar Samba des de fora, proxy i rpc
iptables -A INPUT -s ! 192.168.0.0/24 -p tcp --dport 139 -j REJECT 
iptables -A INPUT -s ! 192.168.0.0/24 -p tcp --dport 8080 -j REJECT
iptables -A INPUT -s ! 192.168.0.0/24 -p tcp --dport 111 -j REJECT
#iptables -A INPUT -s ! 192.168.0.0/24 -p tcp --dport 80 -j REJECT

#tallar lpr, sunrpc des de no la meva maquina 
iptables -A INPUT -s ! 127.0.0.1 -p tcp --dport 515 -j REJECT 
#iptables -A INPUT -s ! 127.0.0.1 -p tcp --dport 111 -j REJECT
#iptables -A INPUT -s ! 127.0.0.1 -p tcp --dport 6000 -j REJECT

#exemple redireccionar port
iptables -t nat -A PREROUTING -j DNAT -p tcp --to-destination 130.206.42.238:25 --dport 2000 -i eth0