#!/bin/bash

## These variables make setting up NAT easier, just uncomment the NAT sections
## below
PUBLIC_INTERFACE=
LAN_INTERFACE=
JFW_LOG_4='-j LOG --log-prefix "[ JFW IPv4 DROP ]"'
JFW_LOG_6='-j LOG --log-prefix "[ JFW IPv6 DROP ]"'





		#########
		# IPv4  #
		#########

##======== General required =======## 			
iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT                    ## Loop device
iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT                  ## ICMP, e.g. ping
iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT   ## Existing and related to outgoing

##============= NAT ===============##
# iptables -A FORWARD -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
# iptables -A FORWARD -p ALL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -t nat -A POSTROUTING -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -j MASQUERADE

##============ Public =============##
# iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

##============= LAN ===============##
iptables -A INPUT -i enp4s0 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -i enp4s0 -p ALL -d 224.0.0.1 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -i enp4s0 -p udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT	## MDNS

##============ Logging ============##
# iptables -A INPUT -p ALL $JFW_LOG_4
# iptables -A INPUT -p ALL -j DROP

## Default policies for IPv4 ##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP






		########
		# IPv6 #
		########

##=========== General ===========##
ip6tables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT                                   ## Loop device
ip6tables -A INPUT -p ipv6-icmp -m conntrack --ctstate NEW -j ACCEPT                            ## ICMP, e.g. ping
ip6tables -A INPUT -p icmpv6 -m conntrack --ctstate NEW -j ACCEPT                               ## These are required for IPv6
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT                         ## Existing and related to outgoing
ip6tables -A INPUT -d fe80::/10 -p udp -m conntrack --ctstate NEW -m udp --dport 546 -j ACCEPT  ## DHCPv6-client
# ip6tables -A INPUT -i $LAN_INTERFACE -p udp --dport 547 -m conntrack --ctstate NEW -j ACCEPT    ## DHCPv6 server

##============= NAT ===============##
# ip6tables -A FORWARD -i $LAN_INTERFACE -o $PUBLIC_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
# ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
### NAT may not be desired for IPv6, if the clients on your LAN get
### a public IPv6 address from the DHCP server, you may want to leave this
### commented
# ip6tables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE

##============ Public =============##
# ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
# ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i $PUBLIC_INTERFACE -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

##============= LAN ===============##
ip6tables -A INPUT -i $LAN_INTERFACE -m conntrack --ctstate NEW -j ACCEPT
# ip6tables -A INPUT -i $LAN_INTERFACE -p udp --dport 5353 -j ACCEPT	## MDNS

##=========== Logging =============##
# ip6tables -A INPUT -p ALL $JFW_LOG_6
# ip6tables -A INPUT -p ALL -j DROP

##=== Default policies for IPv6 ===##
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP