#!/bin/sh

IPT="/sbin/iptables"
IFACE_EXT="eth0"
IFACE_LOC="lo"

# Flushing iptable rules.
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# Default politics 
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# INPUT
# allow local, internal and already established connections
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $IFACE_LOC -j ACCEPT
# Ping allow
$IPT -A INPUT -p icmp -j ACCEPT
# SSH allow
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# The rest deny
$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset 
$IPT -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPT -A INPUT -j REJECT --reject-with icmp-proto-unreach

# FORWARD
$IPT -A FORWARD -s 10.161.85.101/32 -j ACCEPT
$IPT -A FORWARD -d 10.161.85.101/32 -j ACCEPT
$IPT -A FORWARD -s 10.161.85.102/32 -j ACCEPT
$IPT -A FORWARD -d 10.161.85.102/32 -j ACCEPT
$IPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited

# POSTROUTING
$IPT -t nat -A POSTROUTING -s 10.161.85.101/24 -o eth0 -j MASQUERADE

# for RedHat
/sbin/service iptables save
/sbin/service iptables restart