#!/bin/bash

# 1. clear rule
iptables -F
iptables -X
iptables -Z

# 2. Policy
iptables -P INPUT   DROP
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT

# 3. rules
# iptables -A INPUT [-i ifname] [-s IP] [-d IP] [-p [tcp|udp] --sport PORT] \
#                   [-p [tcp|udp] --dport PORT] [-j ACCEPT|REJECT|DROP]
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT	# return
iptables -A INPUT -p icmp -j ACCEPT					# allow ping
iptables -A INPUT -i lo -j ACCEPT					# trust lo
iptables -A INPUT -s 192.168.254.254 -j ACCEPT
iptables -A INPUT -i ens7 -s 10.255.3.0/24 -j ACCEPT
iptables -A INPUT -i ens3 -s 192.168.254.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT				# allow http
iptables -A INPUT -p tcp --dport 443 -j ACCEPT				# allow http
iptables -A INPUT -j REJECT

# 3.5 NAT
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

iptables -t nat -A PREROUTING -p tcp --dport 3388 -j REDIRECT --to 22
iptables -t nat -A POSTROUTING -s 10.255.3.0/24 -o ens3 -j MASQUERADE

# 4. save
iptables-save -t filter >  /etc/sysconfig/iptables
iptables-save -t nat    >> /etc/sysconfig/iptables