# Gateway firwall configuration
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Trust local loopback
-A INPUT -i lo -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Accept everything on ICMP
-4 -A INPUT -p icmp -j ACCEPT
-6 -A INPUT -p ipv6-icmp -j ACCEPT

# Drop DHCP requests but accept answers
-4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
-4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Accept SSH, SMTP
-A INPUT -p tcp -m multiport --dports 22,25 -j ACCEPT

# Accept DNS, NTP
-A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT

# Log and drop
-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] "

# Forwarding rules between private network (eth1) and public one (eth0)
# Forward pings
-4 -A FORWARD -p icmp -j ACCEPT
-6 -A FORWARD -p ipv6-icmp -j ACCEPT

# Forward HTTP, HTTPS
-4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
-4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT the external interface when forwarding from the private network
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT