#!/bin/bash
#----- Smazani vsech pravidel -----
iptables -F
iptables -t nat -F
iptables -t mangle -F

#----- DEFAULTNI PRAVIDLA -----
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#----- LOOPBACK -----
iptables -A INPUT -i lo -j ACCEPT

#----- PUBLIC ETH0 -----
# DHCP
iptables -A INPUT -i eth0 -p UDP --sport 67 --dport 68 -j ACCEPT
iptables -A OUTPUT -o eth0 -p UDP --sport 68 --dport 67 -j ACCEPT
# DNS
iptables -A OUTPUT -o eth0 -p UDP --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP --sport 53 -j ACCEPT
# HTTPS
iptables -A INPUT -i eth0 -p TCP --dport 443 -j ACCEPT
# SSH
iptables -A INPUT -i eth0 -p TCP --dport 22 -j ACCEPT
# HTTP pro APT
iptables -A OUTPUT -o eth0 -p TCP --dport 80 -j ACCEPT
# STAVOVY FIREWALL
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#----- PRIVATE ETH1 -----
# DHCP
iptables -A INPUT -i eth1 -p UDP --sport 68 --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth1 -p UDP --sport 67 --dport 68 -j ACCEPT
# HTTP -> HTTPS
iptables -A INPUT -i eth1 -p TCP --dport 80 -j REJECT
#iptables -t nat -A PREROUTING -i eth1 -p TCP --dport 80 -j REDIRECT --to 443
# HTTPS
iptables -A INPUT -i eth1 -p TCP --dport 443 -j ACCEPT
# SSH
iptables -A INPUT -i eth1 -p TCP --dport 22 -j ACCEPT
# STAVOVY FIREWALL
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#----- FORWARDING -----
# DNS
iptables -A FORWARD -i eth1 -o eth0 -p UDP --dport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p UDP --sport 53 -j ACCEPT
# HTTP
iptables -A FORWARD -i eth1 -o eth0 -p TCP --dport 80 -j ACCEPT
# HTTPS
iptables -A FORWARD -i eth1 -o eth0 -p TCP --dport 443 -j ACCEPT
# FTP - passiv
iptables -A FORWARD -i eth1 -o eth0 -p TCP --dport 21 -j ACCEPT
# STAVOVY FIREWALL
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT