#!/usr/bin/bash
# create variable for iptables
IPT=$(which iptables)
# Switch off routing
echo 0 > /proc/sys/net/ipv4/ip_forward
# Flush rules
$IPT -F
# Delete user defined chains
$IPT -X
# Flush table nat
$IPT -t nat -F
# Delete table nat
$IPT -t nat -X
# Set policy of INPUT chain to DROP
$IPT -P INPUT DROP
# Set policy of OUTOUT chain to DROP
$IPT -P OUTPUT DROP
# Set policy of FORWARD chain to DROP
$IPT -P FORWARD DROP
# Switch on conntrack for FORWARD
$IPT -A FORWARD -m conntrack --ctstate=RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -m conntrack --ctstate=INVALID -j DROP
# Switch on conntrack for INPUT
$IPT -A INPUT -m conntrack --ctstate=RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -m conntrack --ctstate=INVALID -j DROP
# Switch on conntrack for OUTPUT
$IPT -A OUTPUT -m conntrack --ctstate=RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m conntrack --ctstate=INVALID -j DROP
# Anti lock-out rule
$IPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j LOG --log-prefix "IPT " --log-level info
$IPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Allow local traffic for INPUT chain
$IPT -A INPUT -i lo -j ACCEPT
# Allow local traffic for FORWARD chain
$IPT -A FORWARD -i lo -o lo -j ACCEPT
# Allow all from firewall
$IPT -A OUTPUT -j ACCEPT
# Hide internal network behind gateway ip (SNAT)
$IPT -t nat -A POSTROUTING -o ens33 -j MASQUERADE
# Create chain for LOGGING
$IPT -N LOGGING
# Enable logging for DROP on INPUT
$IPT -A INPUT -j LOGGING
# Write to log
$IPT -A LOGGING -j LOG --log-prefix "IPT Drop: " --log-level info
# Drop packets
$IPT -A LOGGING -j DROP
# Enable logging for DROP on OUTPUT
$IPT -A OUTPUT -j LOGGING
# Write to log
$IPT -A LOGGING -j LOG --log-prefix "IPT Drop: " --log-level info
# Drop packets
$IPT -A LOGGING -j DROP
# make rules persitant
/usr/sbin/iptables-save > /etc/iptables/rules.v4
# Switch on routing
echo 1 > /proc/sys/net/ipv4/ip_forward