# Add filtering rules...

#	Reverse path filtering...
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.0.0/24 -j DROP

#	General flushing...
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

#	Deny forwarding by default...
iptables -P FORWARD DROP
iptables -P INPUT DROP

#	If there is already a connection, maintain it...
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#	Inside to outside...
iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT

#	Set up allowing local connections (including from oneself)...
iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -m state --state NEW -j ACCEPT

#	Allow DNS requests from outside...
iptables -A INPUT -d 216.254.8.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -d 216.254.8.0/24 -p udp --dport 53 -j ACCEPT

#	Outside to inside...
#	http access...
/etc/rc.d/inDMZAllow 192.168.0.6 tcp --dport www
/etc/rc.d/inDMZAllow 192.168.0.7 tcp --dport www
/etc/rc.d/inDMZAllow 192.168.0.9 tcp --dport www
/etc/rc.d/inDMZAllow 192.168.0.6 udp --dport www
/etc/rc.d/inDMZAllow 192.168.0.7 udp --dport www
/etc/rc.d/inDMZAllow 192.168.0.9 udp --dport www

#	https access...
/etc/rc.d/inDMZAllow 192.168.0.6 tcp --dport https
/etc/rc.d/inDMZAllow 192.168.0.7 tcp --dport https
/etc/rc.d/inDMZAllow 192.168.0.9 tcp --dport https
/etc/rc.d/inDMZAllow 192.168.0.6 udp --dport https
/etc/rc.d/inDMZAllow 192.168.0.7 udp --dport https
/etc/rc.d/inDMZAllow 192.168.0.9 udp --dport https

#	ftp access...
/etc/rc.d/inDMZAllow 192.168.0.6 tcp --dport ftp
/etc/rc.d/inDMZAllow 192.168.0.7 tcp --dport ftp
/etc/rc.d/inDMZAllow 192.168.0.9 tcp --dport ftp

#	nntp access...
/etc/rc.d/inDMZAllow 192.168.0.6 tcp --dport nntp
/etc/rc.d/inDMZAllow 192.168.0.7 tcp --dport nntp
/etc/rc.d/inDMZAllow 192.168.0.9 tcp --dport nntp

#	icmp echo-request...
/etc/rc.d/inDMZAllow 192.168.0.6 icmp --icmp-type echo-request
/etc/rc.d/inDMZAllow 192.168.0.7 icmp --icmp-type echo-request
/etc/rc.d/inDMZAllow 192.168.0.9 icmp --icmp-type echo-request