#!/bin/bash

#enable IPv4 Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Drop IMCP from broadcast multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Enable TCP SYN Cookie Protection from SYN Floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Don't accept ICMP redirect messages
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Don't send ICMP redirect messages
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects

#Enable source address ARP spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

#Flush chains
iptables --flush

#Set default policies
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

#Allow unlimited Loopback Traffic
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT

#Allow ICMP
iptables -A INPUT -p ICMP -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p ICMP -m state --state NEW -j ACCEPT
iptables -A FORWARD -p ICMP -m state --state NEW -j ACCEPT

#enable Masquerading (NAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#allow Internet Access for internal
iptables -A FORWARD -s 10.30.1.0/25 -m state --state NEW -j ACCEPT

#allow ACCESS to VPN from internal 
iptables -A FORWARD -s 10.30.1.0/25 -m state --state NEW -j ACCEPT

#allow everything from VPN
iptables -A INPUT -i tun0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o tun0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i tun0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o tun0 -m state --state NEW -j ACCEPT

#allow VPN
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
#iptables -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

#allow Updates,DNS, NTP, DHCP and SSH outgoing
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 68 -m state --state NEW -j ACCEPT

#allow DNS, SSH and DHCP incoming
#iptables -A INPUT -p udp --dport 67 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

#allow incoming everything from internal
iptables -A OUTPUT -d 10.30.1.0/25 -m state --state NEW -j  ACCEPT
iptables -A INPUT -s 10.30.1.0/25 -m state --state NEW -j ACCEPT

#allow vpn server
iptables -A INPUT -s 10.30.0.1 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -d 10.30.0.1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -s 10.30.0.1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -d 10.30.0.1 -m state --state NEW -j ACCEPT

#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT